UPDATED: January 20, 2022
A severe remote code vulnerability has been discovered in Apache’s Log4j versions 2.0-beta9 to 2.14.1. The vulnerability—CVE-2021-44228—was found in the logging system commonly used by developers of web and server applications based on Java and other programming languages. Because this vulnerability affects many services and applications on servers, it is extremely dangerous.
Verify and Update Apache Server Applications Now
Arcserve urges you to update your server applications immediately. Applications that rely on this widely-used Java logging component expose your organization to potential remote code attacks and information exposure if they aren’t updated.
You should also urgently verify the presence and usage of vulnerable versions of Log4j in all of your applications, systems, and services across your environments. Prioritize internet-facing services first and immediately follow any update instructions.
How CVE-2021-44228 Works
The vulnerability allows an attacker to inject text into log messages or to log message parameters into server logs that load code from a remote server. The targeted server will then execute that code via calls to the Java Naming and Directory Interface (JNDI). JNDI interfaces with several network services, including the Lightweight Directory Access Protocol (LDAP), Domain Name Service (DNS), Java’s Remote Method Invocation (RMI), and the Common Object Request Broker (CORBA).
CIS / CISA Vulnerability Guidance
The Center for Internet Security offers detailed Log4j vulnerability response actions you can take to mitigate risks, while the Cybersecurity and Infrastructure Security Agency (CISA) has posted a continually updated Apache Log4j Vulnerability Guidance web page so you can be informed as new information becomes available. CISA has also released an Apache Log4j scanning solution on GitHub to find vulnerable apps and issued a new alert today with more information on mitigating Log4Shell and other Log4j-related vulnerabilities.
CISA has also released a new Log4j Vulnerability Playbook as a helpful visual guide for your response.
Update: Night Sky Ransomware Uses Log4j Bug to Hack VMware Horizon Servers
Bleeping Computer wrote this week that the Night Sky ransomware gang is exploiting the critical CVE-2021-44228 vulnerability in the Log4j logging library, also known as Log4Shell, to gain access to VMware Horizon systems. The threat actor is targeting vulnerable machines exposed on the public web from domains that impersonate legitimate companies, some of them in the technology and cybersecurity sectors. Spotted in late December 2021 by security researcher MalwareHunterTeam, Night Sky ransomware focuses on locking enterprise networks. It has encrypted multiple victims, asking for an $800,000 ransom from one of them. Microsoft also published a warning about a new campaign from a China-based actor it tracks as DEV-0401 to exploit the Log4Shell vulnerability on VMware Horizon systems exposed on the internet, and deploy Night Sky ransomware.
Arcserve Recommended Responses
Arcserve is currently identifying product vulnerabilities and will alert customers as more information becomes available. No products of Arcserve and StorageCraft, an Arcserve company are vulnerable to CVE-2021-44228 because they don’t use the Log4j versions identified as being at risk. A future update to the product will include Log4j 2.16 or above, based on feasibility.