Executive Summary

CVE-2021-45046 is a significant vulnerability found in the widely used Apache Log4j logging library, affecting versions from 2.0.0 to 2.16.0. This vulnerability emerged as a result of an incomplete fix for the previously identified CVE-2021-44228, also known as "Log4Shell." The flaw allows for remote code execution (RCE) in certain non-default configurations, posing a substantial risk to affected systems. This report delves into the technical intricacies of CVE-2021-45046, its exploitation in the wild, and the mitigation strategies that organizations should adopt to safeguard their systems.

Technical Information

CVE-2021-45046 is a vulnerability that stems from the improper handling of the Thread Context Map (MDC) in Log4j. The vulnerability allows attackers to craft malicious input data using a JNDI (Java Naming and Directory Interface) Lookup pattern, which can result in a denial of service (DoS) or potentially remote code execution (RCE). The CVSS Score for this vulnerability is 3.7, categorizing it as medium severity. However, the potential impact on systems using vulnerable versions of Log4j is significant.

The vulnerability affects Apache Log4j versions from 2.0.0 to 2.16.0. The initial fix for CVE-2021-44228 in Log4j 2.15.0 was incomplete, leaving certain non-default configurations vulnerable. Attackers can exploit this flaw by manipulating the MDC to inject malicious data, which is then processed by the logging library, leading to potential RCE.

The JNDI Lookup pattern is a critical component of this vulnerability. JNDI is used for remote lookups, and when exploited, it can be used to execute arbitrary code on the target system. This makes the vulnerability particularly dangerous, as it can be leveraged to gain unauthorized access to systems and deploy malware.

Exploitation in the Wild

The exploitation of CVE-2021-45046 has been observed in various operating systems, including macOS, Fedora, Arch Linux, and Alpine Linux. The vulnerability is not limited to these systems and can potentially affect any environment using the vulnerable versions of Log4j.

One notable example of exploitation in the wild is the EnemyBot botnet, attributed to the cybercrime group Keksec. This botnet has incorporated exploits for CVE-2021-45046 and targets various devices, including routers and web servers. The EnemyBot botnet is known for its rapid adoption of new exploits and its ability to target multiple architectures, including arm, bsd, x64, and x86. The botnet employs several methods to spread, including using hardcoded username/password combinations and shell commands to infect misconfigured devices. More details can be found at Security Affairs (https://securityaffairs.co/wordpress/131783/malware/enemybot-botnet-new-exploits.html).

APT Groups using this vulnerability

Various APT (Advanced Persistent Threat) groups have been observed attempting to exploit CVE-2021-45046. These groups leverage the vulnerability to gain unauthorized access to systems and deploy malware. While specific group names have not been disclosed in the public domain, it is clear that the vulnerability is being actively targeted by sophisticated threat actors. The sectors and countries targeted by these APT groups include critical infrastructure, financial institutions, and government agencies across North America, Europe, and Asia.

Affected Product Versions

The affected product versions for CVE-2021-45046 are Apache Log4j versions from 2.0.0 to 2.16.0. Organizations using these versions should prioritize upgrading to the latest version to mitigate the risk of exploitation.

Workaround and Mitigation

The primary mitigation strategy for CVE-2021-45046 is to upgrade to Log4j version 2.17.0 or later, where the vulnerability has been fully addressed. For those unable to upgrade immediately, it is recommended to disable JNDI lookups by setting the system property

References

For further information on CVE-2021-45046, please refer to the following authoritative sources:

NVD: CVE-2021-45046 (https://nvd.nist.gov/vuln/detail/CVE-2021-45046)

Red Hat: Red Hat Security Advisory (https://access.redhat.com/security/cve/cve-2021-45046)

The Hacker News: Second Log4j Vulnerability Discovered (https://thehackernews.com/2021/12/second-log4j-vulnerability-cve-2021.html)

Apache Logging Services: Apache Log4j Security (https://logging.apache.org/security.html)

Rapid7: Apache Log4j Core: CVE-2021-45046 (https://www.rapid7.com/db/vulnerabilities/apache-log4j-core-cve-2021-45046)

Elastic: Analysis of Log4Shell vulnerability & CVE-2021-45046 (https://www.elastic.co/security-labs/analysis-of-log4shell-cve-2021-45046)

Rescana is here for you

At Rescana, we understand the critical importance of staying ahead of emerging threats. Our Continuous Threat and Exposure Management (CTEM) platform is designed to help you identify, assess, and mitigate vulnerabilities in your environment. If you have any questions about this report or any other issue, please do not hesitate to contact us at ops@rescana.com. We are here to support you in safeguarding your systems and ensuring your organization's security.