[Ambience 202x]: Zero day exploits and vulnerability in log4j 2.x, logback

This entry covers the three log4j vulnerabilities with the CVE-ID of CVE-2021-44228 , CVE-2021-45046, CVE-2021-45105 & the logback vulnerability with the CVE-ID of CVE-2021-42550 respectively.

Reference Links:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45105
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42550


Description:
[CVE-2021-44228, log4j] - A Zero-day exploit
JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.

[CVE-2021-45046, log4j]
The fix to address CVE-2021-44228 was incomplete in certain non-default configurations which could allow attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Patter layout with either a Context Lookup or a Thread Context Map pattern resulting in a Denial of Service (DoS).

[CVE-2021-45105, log4j]
Apache log4j2 versions 2.0-alpha1 through 2.16.0 (excl. 2.12.3) did not protect from uncontrolled recursion from self-referential lookups. This allows an attacker with control over Thread Context Map data to cause a denial of service when a crafted string is interpreted

[CVE-2021-42550, logback]
Injection vulnerability; an attacker with the required privileges to edit configurations files could craft a malicious configuration allowing to execute arbitrary code loaded from LDAP servers.


Affected log4j versions:

  • All Apache log4j versions from 2.0-beta9 to 2.17.0
    >= 2.0-beta9 <= 2.16.0

Resolution:

  • Upgrade to Elixir Ambience v2021.2c which bumps log4j versions to 2.16.0
Affected Version Upgrade Version
Elixir Ambience 2021.2 Elixir Ambience 2021.2c

Affected logback versions:

  • All logback versions 1.2.7 and prior
    <=1.2.7

Resolution:

  • Upgrade to Elixir Ambience v2021.2c which bumps all logback to version 1.2.9

Do contact sales@elixirtech.com if your project is using the affected versions to download the updated product builds to address the above exploits and vulnerability.