Security Bulletin: log4j Update - 15 December 2021
Since our previous update on Log4j, Log4j v2.16.0 has been released and can be found here. This update disables JNDI by default and would require specific configuration to allow JNDI. It also completely removes support for Message Lookups. A new CVE (CVE-2021-45046) has also been released, which affects all Log4j versions prior to 2.16.0. The fix to address the original vulnerability (CVE-2021-44228) was incomplete in certain non-default configurations that could allow for a denial of service (DOS) attack. This vulnerability is also addressed in Log4j v2.16.0.
Triskele Labs recommends no other versions of Log4j are utilised and only implement 2.16.0.
Triskele Labs recommend that any customers that are utilising Log4j within their environments to upgrade to v2.16.0 if possible. If Log4j is used within other applications, follow information from the vendors closely for the release of patches and updates which address the Log4j vulnerability. Our Cyber Threat Intelligence (CTI) Team have identified that threat actors are using the Log4j exploit to access environments and deploy Khonsari and Avoslocker ransomware. It is also being used to drop the Orcus Remote Access Trojan (RAT) onto systems. Triskele Labs are continually monitoring our customer environments for unusual activity that could occur as the result of Log4j exploitation. It should be noted that vulnerable versions of Log4j may be packaged deep within other software and may not be identified by vulnerability scanners. Process monitoring with command line creation (e.g. verbose Windows logging or an EDR tool) remains an accurate way to identify Log4j usage within an environment.