Security
Headlines
HeadlinesLatestCVEs

Headline

Microsoft’s Response to CVE-2021-44228 Apache Log4j 2

Published on: 2021 Dec 11, updated 2022 Apr 6. SUMMARY SUMMARY Microsoft continues our analysis of the remote code execution vulnerabilities related to Apache Log4j (a logging tool used in many Java-based applications) disclosed on 9 Dec 2021. Currently, Microsoft is not aware of any impact, outside of the initial disclosure involving Minecraft: Java Edition, to the security of our enterprise services and has not experienced any degradation in availability of those services as a result of this vulnerability.

msrc-blog
#sql#vulnerability#web#mac#windows#microsoft#linux#apache#java#kubernetes#intel#rce#log4j#auth

Published on: 2021 Dec 11, updated 2022 Apr 6.

SUMMARY SUMMARY

Microsoft continues our analysis of the remote code execution vulnerabilities related to Apache Log4j (a logging tool used in many Java-based applications) disclosed on 9 Dec 2021. Currently, Microsoft is not aware of any impact, outside of the initial disclosure involving Minecraft: Java Edition, to the security of our enterprise services and has not experienced any degradation in availability of those services as a result of this vulnerability.

Our security teams have been analyzing our products and services to identify and mitigate any instances of CVE-2021-44228 and CVE-2021-45046 in Apache Log4j 2.

Affected Microsoft products requiring customer action have been released in our Security Update Guide - CVE-2021-44228. Customers are encouraged to apply these updates as quickly as possible. If you are using any Microsoft services other than those explicitly listed in the CVE, no action is required by you at this time. As we continue our investigation, we will notify affected parties if we identify any impact to customer data.

To help customers protect themselves, we are also providing the following product specific guidance to help customers improve their security posture. Links are provided to jump to the content below:

Mitigation Guidance for Microsoft Services

Azure Bot Service

Azure Arc-enabled Data Services

Azure App Service (Windows and Linux and Containers)

Azure Application Gateway, Azure Front Door, and Azure WAF

Azure Databricks

Azure Functions

Azure HDInsight

Azure Spring Cloud

Cosmos DB SDKs

Cosmos DB Spring Connector

Cosmos DB Spark Connector

Microsoft Azure AD

Minecraft: Java Edition

SQL Server (on Windows) - all editions

SQL Server (on Linux) - all editions

SQL Server 2019 Big Data Clusters

SQL Server on Azure VM/IaaS

Information for Security Operations and Hunters

Apply the Latest Security Updates Apply the Latest Security Updates

To address these vulnerabilities, Microsoft recommends customers apply the latest security updates. Please review the Apache CVEs and the Apache security advisory for further details:

  • Apache Log4j 2.x CVEs: CVE-2021-44228 and CVE-2021-45046
  • Apache security advisory: Apache Log4j Security Vulnerabilities

All systems, including those that are not internet facing, are potentially vulnerable to these vulnerabilities, so backend systems and microservices should also be upgraded. No Java version can mitigate these vulnerabilities. The recommended action is to update Apache Log4j 2. An application restart will be required.

  • Java 8 or newer: update Log4j to 2.16.0 or later
  • Java 7: update to Log4j 2.12.2 or later

Systems that have already been updated to 2.15.0 should move to 2.16.0 or later as soon as possible for extra protection against other potential vulnerabilities described in CVE-2021-45046.

Systems running on Log4j 1.x are not impacted by these vulnerabilities. In 2015, Apache announced Log4j 1.x has reached end-of-life. Microsoft recommends customers to upgrade to Log4j 2.16.0 or later for the latest security updates.

  • Apache Announcement: Log4j 1.x End of Life
  • Apache Log4j 1.x vulnerability - 1.2 up to 1.2.17: CVE-2019-17571

Workarounds Workarounds

To help mitigate the risk of these vulnerabilities in Log4j 2.x until the more complete security update can be applied, customers should consider the following mitigations steps for all releases of Log4j 2.x – except releases 2.16.0 or later and 2.12.2. These workarounds should not be considered a complete solution to resolve these vulnerabilities:

  • For all releases of Log4j 2.x prior to 2.16.0, the most effective mitigation, besides a security update, is to prevent the JndiLookup.class file from being loaded in the applications’s classpath.

    • Customers can do this by deleting the class from affected JAR files. For example:
      $ zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
    • Log4j may also be present in other files as a bundle or as a shaded library. Microsoft advises customers to do an extensive search beyond log4j-core-*.jar files.
  • In case the Log4j 2 vulnerable component cannot be updated, Log4j versions 2.10 to 2.14.1 support the parameter log4j2.formatMsgNoLookups to be set to ‘true’, to disable the vulnerable feature. Ensure this parameter is configured in the startup scripts of the Java Virtual Machine:
    -Dlog4j2.formatMsgNoLookups=true.

  • Alternatively, customers using Log4j 2.10 to 2.14.1 may set the LOG4J_FORMAT_MSG_NO_LOOKUPS=”true” environment variable to force this change.

  • Kubernetes administrators may use “kubectl set env” to set the LOG4J_FORMAT_MSG_NO_LOOKUPS=”true” environment variable to apply the mitigation across Kubernetes clusters where the Java applications are running Log4j 2.10 to 2.14.1, effectively reflecting on all pods and containers automatically.

  • An application restart will be required for these changes to take effect.

Background of Log4j Background of Log4j

The vulnerabilities, tracked as CVE-2021-44228 and CVE-2021-45046 and referred to as “Log4Shell,” affects Java-based applications that use Log4j 2 versions 2.0 through 2.15.0. Log4j 2 is a Java-based logging library that is widely used in business system development, included in various open-source libraries, and directly embedded in major software applications. The scope of impact has expanded to thousands of products and devices, including Apache products such as Struts 2, Solr, Druid, Flink, Swift, Karaf, and others.

Because these vulnerabilities are in a Java library, the cross-platform nature of Java means the vulnerabilities are exploitable on many platforms, including Windows, macOS, and Linux. As many Java-based applications can leverage Log4j 2 directly or indirectly, organizations should contact application vendors or ensure their Java applications are running the latest up-to-date version. Developers using Log4j 2 should ensure that they are incorporating the latest version of Log4j into their applications as soon as possible to protect users and organizations.

Analysis of the vulnerabilities Analysis of the vulnerabilities

The vulnerabilities allow remote code execution by an unauthenticated attacker to gain complete access to a target system. It can be triggered when a specially crafted string is parsed and processed by the vulnerable Log4j 2 component. This could happen through any user provided input.

Successful exploitation allows for arbitrary code execution in the targeted application. Attackers do not need prior access to the system to log the string and can remotely cause the logging event by using commands like curl against a target system to log the malicious string in the application log. When processing the log, the vulnerable system reads the string and executes it, which in current attacks is used to execute the code from the malicious domain. Doing so can grant the attacker full access and control of the affected application.

Given the fact that logging code and functionalities in applications and services are typically designed to process a variety of external input data coming from upper layers and from many possible vectors, the biggest risk factor of these vulnerabilities is predicting whether an application has a viable attack vector path that will allow the malformed exploit string to reach the vulnerable Log4j 2 code and trigger the attack. A common pattern of exploitation risk, for example, is a web application with code designed to process usernames, referrer, or user-agent strings in logs. These strings are provided as external input (e.g., a web application built with Apache Struts). An attacker can send a malformed username or set user-agent with the crafted exploit string hoping that this external input will be processed at some point by the vulnerable Log4j 2 code and trigger code execution.

Figure 1. CVE-2021-44228 and CE-2021-45046 exploit vectors and attack chain

Mitigation Guidance for Microsoft Services Mitigation Guidance for Microsoft Services

After further analysis of our services and products, below are a few mitigation strategies given by various Microsoft services.

The mitigation based on disabling message lookup functionality – through enabling the system property log4j2.formatMsgNoLookups or the environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS – does not cover all risks related to these vulnerabilities. Customers should still apply the latest security updates or apply other documented mitigation steps such as the removal of the JndiLookup.class file from the application classpath.

Azure Bot Service Azure Bot Service

Azure Bot Service does not use log4j and is not affected. However, customers of the Java Bot Framework SDK should update their dependencies to 4.14.2 in their bot project. Any explicit dependencies on Log4j in their bot project should be updated to 2.17.1.

Azure Arc-enabled Data Services Azure Arc-enabled Data Services

SQL Arc-enabled data services include includes Elasticsearch, which uses Log4j. Microsoft recommends that all Customers upgrade to December 2021 release which has updated the Log4J library to 2.16.0. Azure Arc-enabled data services us Elasticsearch version 7.9.1 on JDK 11, which is not affected by this vulnerability. For more information, refer to Elastic bulletin: Apache Log4j2 Remote Code Execution (RCE) Vulnerability – CVE–2021–44228 – ESA–2021–31 – Announcements / Security Announcements – Discuss the Elastic Stack.

As a defense in depth measure, Microsoft recommends customers modify the logsdb statefulset/elasticsearch container to set the following environment variable to true.

LOG4J_FORMAT_MSG_NO_LOOKUPS=true

Azure App Service (Windows, Linux and Containers) Azure App Service (Windows, Linux and Containers)

Azure App Service and Functions does not distribute Log4J in the managed runtimes such as Tomcat, Java SE, JBoss EAP, or the Functions Runtime. However, your applications may use Log4J and be susceptible to these vulnerabilities.

Customers are recommended to apply the latest Log4j security updates and re-deploy applications.

If you are not able to re-package your application with a newer version of Log4j and you are using Log4j versions 2.10 to 2.14, you can mitigate by creating an application setting for the environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS with value true , with the Azure CLI as follows:

$ az webapp config appsettings set \
 --resource-group <group-name> \
 --name <app-name> \
 --settings LOG4J_FORMAT_MSG_NO_LOOKUPS=true

Note that this command will also restart your App Service hosted application.

Azure Application Gateway, Azure Front Door, and Azure WAF Azure Application Gateway, Azure Front Door, and Azure WAF

In our investigation so far, we have not found any evidence that these services are vulnerable however customer applications running behind these services might be vulnerable to this exploit. We highly recommend customers to follow mitigations and workarounds mentioned in this blog to protect their applications. Additional guidance for Azure WAF is located here.

Azure Databricks Azure Databricks

Your instance may be vulnerable if you have installed an affected version of Log4j or have installed services that transitively depend on an affected version. For more information on checking for vulnerable Log4j 2 instances installed, please see the following Microsoft Document: Verify the version of Log4j on your cluster.

Azure Functions Azure Functions

Customers are recommended to apply the latest Log4j security updates and re-deploy applications. If you are not able to and you are using Log4j versions 2.10 to 2.14.1, configuring the environment variable or system property will depend on your choice of hosting option: dedicated, premium or consumption.

  • Dedicated and Premium Functions : Create two application settings:

    1. LOG4J_FORMAT_MSG_NO_LOOKUPS with value =true
    2. WEBSITE_USE_PLACEHOLDER with value =0
  • This can be done with the following Azure CLI command:

$ az functionapp config appsettings set \ --subscription \ --name \ --resource-group \ --settings “LOG4J_FORMAT_MSG_NO_LOOKUPS=true” “WEBSITE_USE_PLACEHOLDER=0”

  • Consumption Functions:

  • Linux : Create an application setting named “languageWorkersjavaarguments” with a value of “-Dlog4j2.formatMsgNoLookups=true”.

  • Windows : Create an application setting named “languageWorkers:java:arguments” with a value of “-Dlog4j2.formatMsgNoLookups=true”.

Note that these application settings will restart your Function apps, and it will no longer use warm workers which will impact future cold-start performance.

Azure HDInsight Azure HDInsight

All Azure HDInsight clusters created prior to 16 Dec 2021 at 01:15 UTC have been patched and rebooted to mitigate the Log4j vulnerability as described in Microsoft’s Response to CVE-2021-44228 Apache Log4j 2, unless customer configurations prevented the updates. All Azure HDInsight 5.0, 4.0, and 3.6 clusters for currently supported components were patched.

Any HDI 4.0 clusters created post 27 Dec 2021 00:00 UTC are created with an updated version of the image which mitigates the log4j vulnerabilities. Hence, customers need not patch/reboot these clusters.

Action recommended Action recommended

For new clusters created using HDI 4.0 between 16 Dec 2021 at 01:15 UTC and 27 Dec 202100:00 UTC, HDI 3.6 or in pinned subscriptions after 16 Dec 2021 the patch is auto applied within the hour in which the cluster is created, however customers must then reboot their nodes for the patching to complete (except for Kafka Management nodes, which are automatically rebooted).

The following node types require a reboot after the patch is applied:

Cluster Type

Node Types that should be rebooted

Kafka & HBase

Head Nodes

Hadoop, Spark, Interactive Hive/LLAP

Head Nodes & Worker Nodes

If you regularly delete and recreate clusters, or if your configurations prevent Microsoft from making updates to your clusters, it is required that you run the https://hdiconfigactions.blob.core.windows.net/patch-log4j-cve/patch-log4j-cve-2021-44228-all-rev2.sh patch as part of the cluster creation process as a persisted script action, and then immediately schedule a reboot on the node types listed above. Jobs should only be executed after the patch has been applied and the impacted nodes have been rebooted to ensure that the vulnerability has been fixed.

The patch should be run on each new cluster as a persisted script action until a new HDInsight image is available that incorporates the patch.

Azure Spring Cloud Azure Spring Cloud

Applications deployed to Azure Spring Cloud may use Log4j and be susceptible to this vulnerability. Log4j usage may originate from:

  • Your application sources.
  • Application Performance Monitoring tools activated for the application.

Spring Boot Applications Spring Boot Applications

Spring Boot applications are only affected if they have switched the default logging framework to Log4j 2. The log4j-to-slf4j and log4j-api jar files that are included in spring-boot-starter-logging cannot be exploited on their own. Only applications using log4j-core are vulnerable. If your application is impacted and you can redeploy the application, we recommend that you upgrade your application with the latest security updates for Log4j, and redeploy to Azure Spring Cloud – see more details at Log4j 2 vulnerability and Spring Boot.

If you are not able to re-deploy, you may mitigate impacted applications that are using Log4j 2.10 to 2.14.1 by setting the log4j2.formatMsgNoLookups system property to _true _OR by setting the environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS to true. You can set the system property or environment variable using:

  • Azure Portal
  • Azure CLI
  • ARM Template
  • Bicep or
  • Terraform.

****For Example** – set the system property log4j2.formatMsgNoLookups via the Azure Portal or CLI For Example – set the system property log4j2.formatMsgNoLookups via the Azure Portal or CLI**

In the Azure Portal, navigate to your application in Azure Spring Cloud and change the configuration as illustrated below:

You can set the log4j2.formatMsgNoLookups system property to true using the Azure CLI:

$ az spring-cloud app update -s ${SERVICE_NAME} \ -n ${APP_NAME} -d ${DEPLOYMENT_NAME} -g ${RESOURCE_GROUP} \ --jvm-options=’-Dlog4j2.formatMsgNoLookups=true’

****For Example** – set the LOG4J_FORMAT_MSG_NO_LOOKUPS environment variable via the Azure Portal or CLI For Example – set the LOG4J_FORMAT_MSG_NO_LOOKUPS environment variable via the Azure Portal or CLI**

In the Azure Portal, navigate to your application in Azure Spring Cloud and change the configuration as illustrated below:

You can set the LOG4J_FORMAT_MSG_NO_LOOKUPS environment variable to true using the Azure CLI:

$ az spring-cloud app update -s ${SERVICE_NAME} \
-n ${APP_NAME} -d ${DEPLOYMENT_NAME} -g ${RESOURCE_GROUP} \
–env ‘LOG4J_FORMAT_MSG_NO_LOOKUPS=true’

Application Performance Monitoring tools activated by your application Application Performance Monitoring tools activated by your application

Applications in Azure Spring Cloud are only impacted by the Log4j vulnerability if users activated New Relic and AppDynamics Java Agents. Applications monitored by Application Insights or Dynatrace Java Agents do not carry any potential risk associated with the Log4j vulnerability.

We already patched-in updated New Relic and AppDynamics Java Agents. If you activated New Relic or AppDynamics Agents for your applications, we recommend that you restart your applications. Azure Spring Cloud will take steps to automatically protect customers and auto-restart any application with activated New Relic or AppDynamics Java Agents by Tuesday, December 21st, 2021 to ensure the latest fixes take effect.

Cosmos DB SDKs Cosmos DB SDKs

Cosmos DB SDKs do not have dependency on Log4j 2 and allow customers to independently bring their own logging technologies. If customers independently decide to use Log4j 2 they should ensure to use Log4j 2.16.0 or above

Cosmos DB Spring Connector Cosmos DB Spring Connector

Cosmos DB Spring Connector does not have dependency on Log4j 2 and is not impacted. If customers rely on spring boots defaults and use Log4j2, they should ensure they use proper version of Log4j2 (>= 2.16.0).

Cosmos DB Spark Connector Cosmos DB Spark Connector

Cosmos DB Spark Connector does not have runtime dependency on Log4j 2. Cosmos DB Spark Connector utilizes underlying spark offering logging technologies.

Microsoft Azure AD Microsoft Azure AD

While the industry is determining and mitigating overall exposure, attackers are probing all endpoints for vulnerabilities. Applying rigorous least privilege access policies to all resources in your environment is critical. If you use Azure Active Directory for single-sign on in your environment, we recommend you do the following with a special focus on applications you deploy or manage directly (SaaS apps, including those deployed by Microsoft, must be secured by their vendors). Note that log4j2 usage may be pre-auth for some of your applications, but these steps will help prevent post-authentication exploitation. Templates and examples for these policies are built in to facilitate deployment:

  • To facilitate these steps and minimize business impact, you may wish to use application tagging capabilities to identify those applications which you haven’t validated as patched and target stricter policies to them.
  • Enable MFA for all access to these resources to prevent probing using accounts with compromised passwords.
  • If you are using Azure AD Identity Protection, enable blocking on risky logins (we recommend blocking on medium or higher). This will prevent access via ToR exit nodes and anonymizing VPNs.
  • If you use Azure AD Conditional Access, restrict access to your resources to known/trusted locations or networks.
  • Require Azure AD joined or better, MDM managed devices to access these resources.
  • Monitor the risky sign in reports or use the risk workbook to track anomalous logins to your applications to help focus your investigations.
  • While ADFS, as a Windows service, does not use the impacted libraries, other federation providers do. If you use a non-Microsoft federation provider (for example, for SAML 2.0), watch for token anomalies which indicate compromise of those systems.

For key guidance on securing your identity deployment, see https://aka.ms/securitysteps.

Minecraft: Java Edition Minecraft: Java Edition

We’ve taken steps to keep our Minecraft customers safe and protected, which included rolling out a fix that blocks this issue for Minecraft Java Edition 1.18.1. Minecraft customers running their own servers are encouraged to deploy the latest Minecraft server update to protect their users. More information is available at Security Vulnerability in Minecraft: Java Edition.

SQL Server (on Windows) - all editions SQL Server (on Windows) - all editions

Note : If a customer installs Java support and deploys Java Archives (JARs) that depend on the Log4j 2 library, they are advised to upgrade to the latest version or remove the Java Archives (JARs) that require the dependency.

SQL Server (on Linux) - all editions SQL Server (on Linux) - all editions

Note : If a customer installs Java support and deploys Java Archives (JARs) that depend on the Log4j 2 library, they are advised to upgrade to the latest version or remove the Java Archives (JARs) that require the dependency.

SQL Server 2019 Big Data Clusters SQL Server 2019 Big Data Clusters

SQL Server 2019 Big Data Clusters includes Elasticsearch, which uses Log4j. Microsoft recommends that all Customers upgrade to Cumulative Update (CU) 9 or higher. CU 9 for SQL Server Big Data Cluster ships with Elasticsearch version 7.9.1 on JDK 11, which is not affected by this vulnerability (SQL Server Big Data Clusters cumulative updates history). For more information, refer to Elastic bulletin: Apache Log4j2 Remote Code Execution (RCE) Vulnerability – CVE–2021–44228 – ESA–2021–31 – Announcements / Security Announcements – Discuss the Elastic Stack.

As a defense in depth measure, Microsoft recommends customers modify the logsdb statefulset/elasticsearch container to set the following environment variable to true.

LOG4J_FORMAT_MSG_NO_LOOKUPS=true

Note : While the Elasticsearch version that ships with SQL Server 2019 Big Data Clusters CU9 is not impacted due to the use of Java Security Manager, an affected version of the Log4j library is still present. Microsoft will release an update for SQL Server 2019 Big Data Clusters that updates the Log4j library to 2.16.0 as soon as possible.

SQL Server on Azure VM/IaaS SQL Server on Azure VM/IaaS

Note : If an application in the VM uses Log4j, it may be susceptible to this vulnerability. Please follow mitigation guidance published here.

Information for Security Operations and Hunters Information for Security Operations and Hunters

Microsoft security teams have put together the following guidance and resources to help customers understand these vulnerabilities and to help detect and hunt for exploits:

  • Microsoft Security blog describing the nature of current attacks Microsoft is observing. The blog also contains guidance on how to use Microsoft security products to detect and hunt for malicious activity, and apply protections: Guidance for preventing, detecting, and hunting for CVE-2021-44228 Log4j 2 exploitation

  • RiskIQ (acquired by Microsoft in August 2021) published threat intelligence article to the community portal with information about these vulnerabilities and exploitation of them, as well as detections and mitigations: CVE-2021-44228 Apache Log4j Remote Code Execution Vulnerability

  • Microsoft 365 Defender threat analytics article with detection information and potential impacts to customer environments: CVE-2021-44228 Log4j active exploitation (sign in is required)

    • NOTE : Microsoft 365 Defender customers can click Need help? in the portal to open up a search widget. Customers can key in Log4j terms to search for in-portal resource to check if their network is affected, and work on corresponding actionable items to mitigate them.

The MSRC Team

We will further update this guidance as we continue to learn from our investigation.

Revision History:
4/6/2022 - Added information about Azure Bot Service.
12/20/2021 - Added information about three Cosmos products: Cosmos DB SDKs, Cosmos DB Spring Connector, and Cosmos DB Spark Connector.
12/18/2021 - Update to indicate releases 2.16.0 or later
12/17/2021 - Update based on new findings related to CVE-2021-45046 impacting Log4j 2.15.0, Released guidance for Azure Arc-enabled Data Services, SQL Server for Windows and Linux, SQL Server 2019 Big Data Clusters, and SQL Server on Azure VM/IaaS.
12/16/2021 - Clarified customer guidance in the summary and linked to affected software in the security update guide.
12/15/2021 - Clarified guidance on Azure service. Added guidance for Java 7. Added guidance on Azure libraries for Java.
12/14/2021 - Added HDInsights guidance, updated guidance for CVE-2021-45046, and updated workaround guidance.
12/13/2021 - Added table to index guidance, added additional guidance for Azure WAF and Azure Spring Cloud.
12/11/2021 - Initial publication.

Related news

Old Vulnerability Rated 9.9 Impacts All GNU/Linux Systems, Researcher Claims

A researcher claims to have found a decade-old vulnerability rated 9.9 that affects all GNU/Linux systems, allowing attackers…

Gentoo Linux Security Advisory 202402-16

Gentoo Linux Security Advisory 202402-16 - Multiple vulnerabilities have been discovered in Apache Log4j, the worst of which can lead to remote code execution. Versions less than or equal to 1.2.17 are affected.

8220 Gang Targets Telecom and Healthcare in Global Cryptojacking Attack

By Deeba Ahmed The 8220 gang, believed to be of Chinese origins, was first identified in 2017 by Cisco Talos when they targeted Drupal, Hadoop YARN, and Apache Struts2 applications for propagating cryptojacking malware. This is a post from HackRead.com Read the original post: 8220 Gang Targets Telecom and Healthcare in Global Cryptojacking Attack

CVE-2023-43041: Security Bulletin: IBM QRadar SIEM contains multiple vulnerabilities in components.

IBM QRadar SIEM 7.5 is vulnerable to information exposure allowing a delegated Admin tenant user with a specific domain security profile assigned to see data from other domains. This vulnerability is due to an incomplete fix for CVE-2022-34352. IBM X-Force ID: 266808.

CVE-2023-22062: Oracle Critical Patch Update Advisory - July 2023

Vulnerability in the Oracle Hyperion Financial Reporting product of Oracle Hyperion (component: Repository). The supported version that is affected is 11.2.13.0.000. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Hyperion Financial Reporting. While the vulnerability is in Oracle Hyperion Financial Reporting, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Hyperion Financial Reporting accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Hyperion Financial Reporting. CVSS 3.1 Base Score 8.5 (Confidentiality and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L).

CVE-2023-28864: Chef Infra Server Release Notes

Progress Chef Infra Server before 15.7 allows a local attacker to exploit a /var/opt/opscode/local-mode-cache/backup world-readable temporary backup path to access sensitive information, resulting in the disclosure of all indexed node data, because OpenSearch credentials are exposed. (The data typically includes credentials for additional systems.) The attacker must wait for an admin to run the "chef-server-ctl reconfigure" command.

CVE-2022-47501: The Apache OFBiz® Project - Security

Arbitrary file reading vulnerability in Apache Software Foundation Apache OFBiz when using the Solr plugin. This is a  pre-authentication attack. This issue affects Apache OFBiz: before 18.12.07.

Ubuntu Security Notice USN-5998-1

Ubuntu Security Notice 5998-1 - It was discovered that the SocketServer component of Apache Log4j 1.2 incorrectly handled deserialization. An attacker could possibly use this issue to execute arbitrary code. This issue only affected Ubuntu 16.04 ESM. It was discovered that the JMSSink component of Apache Log4j 1.2 incorrectly handled deserialization. An attacker could possibly use this issue to execute arbitrary code.

CVE-2022-38775: Security issues

An issue was discovered in the rollback feature of Elastic Endpoint Security for Windows, which could allow unprivileged users to elevate their privileges to those of the LocalSystem account.

CVE-2023-21850: Oracle Critical Patch Update Advisory - January 2023

Vulnerability in the Oracle Demantra Demand Management product of Oracle Supply Chain (component: E-Business Collections). Supported versions that are affected are 12.1 and 12.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Demantra Demand Management. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Demantra Demand Management accessible data. CVSS 3.1 Base Score 7.5 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N).

Iranian APT Targets US With Drokbk Spyware via GitHub

The custom malware used by the state-backed Iranian threat group Drokbk has so far flown under the radar by using GitHub as a "dead-drop resolver" to more easily evade detection.

Intel Data Center Manager 5.1 Local Privilege Escalation

The latest version (5.1) and all prior versions of Intel's Data Center Manager are vulnerable to a local privileges escalation vulnerability using the application user "dcm" used to run the web application and the rest interface. An attacker who gained remote code execution using this dcm user (i.e., through Log4j) is then able to escalate their privileges to root by abusing a weak sudo configuration for the "dcm" user.

Log4Shell – Iranian Hackers Accessed Domain Controller of US Federal Network

By Waqas The attack, according to authorities, was launched on the Federal Civilian Executive Branch (FCEB). This is a post from HackRead.com Read the original post: Log4Shell – Iranian Hackers Accessed Domain Controller of US Federal Network

Quarterly Report: Incident Response Trends in Q3 2022

Ransomware and pre-ransomware engagements make up 40 percent of threats seen this quarter By Caitlin Huey. For the first time since compiling these reports, Cisco Talos Incident Response saw an equal number of ransomware and pre-ransomware engagements, making up nearly 40 percent of threats this quarter.   It can be difficult to determine what constitutes a pre-ransomware attack if ransomware never executes and encryption does not take place. However, Talos IR assesses that the combination of Cobalt Strike and credential-harvesting tools like Mimikatz, paired with enumeration and discovery techniques, indicates a high likelihood that ransomware is the final objective. This quarter featured a variety of publicly available tools and scripts hosted on GitHub repositories or other third-party websites to support operations across multiple stages of the attack lifecycle. This activity coincides with a general increase in the use of other dual-use tools, such as the legitimate red-teaming ...

U.S. Charges 3 Iranian Hackers and Sanctions Several Others Over Ransomware Attacks

The U.S. Treasury Department's Office of Foreign Assets Control (OFAC) on Wednesday announced sweeping sanctions against ten individuals and two entities backed by Iran's Islamic Revolutionary Guard Corps (IRGC) for their involvement in ransomware attacks at least since October 2020. The agency said the cyber activity mounted by the individuals is partially attributable to intrusion sets tracked

CVE-2020-21642: ManageEngine Analytics Plus | Release Notes

Directory Traversal vulnerability ZDBQAREFSUBDIR parameter in /zropusermgmt API in Zoho ManageEngine Analytics Plus before 4350 allows remote attackers to run arbitrary code.

CVE-2022-21586: Oracle Critical Patch Update Advisory - July 2022

Vulnerability in the Oracle Banking Trade Finance product of Oracle Financial Services Applications (component: Infrastructure). The supported version that is affected is 14.5. Difficult to exploit vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Banking Trade Finance. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Banking Trade Finance accessible data as well as unauthorized access to critical data or complete access to all Oracle Banking Trade Finance accessible data. CVSS 3.1 Base Score 6.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N).

DHS Review Board Deems Log4j an 'Endemic' Cyber Threat

Vulnerability will remain a "significant" threat for years to come and highlighted the need for more public and private sector support for open source software ecosystem, Cyber Safety Review Board says.

Log4Shell Still Being Exploited to Hack VMWare Servers to Exfiltrate Sensitive Data

The U.S. Cybersecurity and Infrastructure Security Agency (CISA), along with the Coast Guard Cyber Command (CGCYBER), on Thursday released a joint advisory warning of continued attempts on the part of threat actors to exploit the Log4Shell flaw in VMware Horizon servers to breach target networks. "Since December 2021, multiple threat actor groups have exploited Log4Shell on unpatched,

CVE-2022-32552: Security Advisory for security-bundle-2022-04-04

Pure Storage FlashArray products running Purity//FA 6.2.0 - 6.2.3, 6.1.0 - 6.1.12, 6.0.0 - 6.0.8, 5.3.0 - 5.3.17, 5.2.x and prior Purity//FA releases, and Pure Storage FlashBlade products running Purity//FB 3.3.0, 3.2.0 - 3.2.4, 3.1.0 - 3.1.12, 3.0.x and prior Purity//FB releases are vulnerable to a privilege escalation via the manipulation of Python environment variables which can be exploited by a logged-in user to escape a restricted shell to an unrestricted shell with root privileges. No other Pure Storage products or services are affected. Remediation is available from Pure Storage via a self-serve “opt-in” patch, manual patch application or a software upgrade to an unaffected version of Purity software.

CVE-2022-33915: ALAS-2022-1601

Versions of the Amazon AWS Apache Log4j hotpatch package before log4j-cve-2021-44228-hotpatch-1.3.5 are affected by a race condition that could lead to a local privilege escalation. This Hotpatch package is not a replacement for updating to a log4j version that mitigates CVE-2021-44228 or CVE-2021-45046; it provides a temporary mitigation to CVE-2021-44228 by hotpatching the local Java virtual machines. To do so, it iterates through all running Java processes, performs several checks, and executes the Java virtual machine with the same permissions and capabilities as the running process to load the hotpatch. A local user could cause the hotpatch script to execute a binary with elevated privileges by running a custom java process that performs exec() of an SUID binary after the hotpatch has observed the process path and before it has observed its effective user ID.

RHSA-2022:5053: Red Hat Security Advisory: log4j security update

An update for log4j is now available for Red Hat Enterprise Linux 6 Extended Lifecycle Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2019-17571: log4j: deserialization of untrusted data in SocketServer

CVE-2022-29405: Archiva Documentation – Release Notes for Archiva 2.2.8

In Apache Archiva, any registered user can reset password for any users. This is fixed in Archiva 2.2.8

CVE-2022-21496: Oracle Critical Patch Update Advisory - April 2022

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JNDI). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service ...

CVE-2021-44548: Solr™ Security News

An Improper Input Validation vulnerability in DataImportHandler of Apache Solr allows an attacker to provide a Windows UNC path resulting in an SMB network call being made from the Solr host to another host on the network. If the attacker has wider access to the network, this may lead to SMB attacks, which may result in: * The exfiltration of sensitive data such as OS user hashes (NTLM/LM hashes), * In case of misconfigured systems, SMB Relay Attacks which can lead to user impersonation on SMB Shares or, in a worse-case scenario, Remote Code Execution This issue affects all Apache Solr versions prior to 8.11.1. This issue only affects Windows.

CVE-2021-22057: VMSA-2021-0030

VMware Workspace ONE Access 21.08, 20.10.0.1, and 20.10 contain an authentication bypass vulnerability. A malicious actor, who has successfully provided first-factor authentication, may be able to obtain second-factor authentication provided by VMware Verify.

CVE-2021-45046: security - CVE-2021-45046: Apache Log4j2 Thread Context Message Pattern and Context Lookup Pattern vulnerable to a denial of service attack

It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allows attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in an information leak and remote code execution in some environments and local code execution in all environments. Log4j 2.16.0 (Java 8) and 2.12.2 (Java 7) fix this issue by removing support for message lookup patterns and disabling JNDI functionality by default.

CVE-2021-44228: Log4j – Apache Log4j Security Vulnerabilities

Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.

CVE-2021-42117: Release Notes - TopEase Documentation

Insufficient Input Validation in Web Applications operating on Business-DNA Solutions GmbH’s TopEase® Platform Version <= 7.1.27 allows an authenticated remote attacker with Object Modification privileges to insert arbitrary HTML without code execution.

CVE-2021-32002: Cybersecurity Advisory - Secomea

Improper Access Control vulnerability in web service of Secomea SiteManager allows local attacker without credentials to gather network information and configuration of the SiteManager. This issue affects: Secomea SiteManager All versions prior to 9.5 on Hardware.

CVE-2021-2163: Oracle Critical Patch Update Advisory - April 2021

Vulnerability in the Java SE, Java SE Embedded, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Java SE: 7u291, 8u281, 11.0.10, 16; Java SE Embedded: 8u281; Oracle GraalVM Enterprise Edition: 19.3.5, 20.3.1.2 and 21.0.0.2. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, Oracle GraalVM Enterprise Edition. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Java SE, Java SE Embedded, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 5.3 (Integrity impacts). CV...

CVE-2021-2154: Oracle Critical Patch Update Advisory - April 2021

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: DML). Supported versions that are affected are 5.7.33 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVE-2020-2978: Oracle Critical Patch Update Advisory - July 2020

Vulnerability in the Oracle Database - Enterprise Edition component of Oracle Database Server. Supported versions that are affected are 12.1.0.2, 12.2.0.1, 18c and 19c. Easily exploitable vulnerability allows high privileged attacker having DBA role account privilege with network access via Oracle Net to compromise Oracle Database - Enterprise Edition. While the vulnerability is in Oracle Database - Enterprise Edition, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Database - Enterprise Edition accessible data. CVSS 3.1 Base Score 4.1 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:N).

CVE-2020-2956: Oracle Critical Patch Update Advisory - April 2020

Vulnerability in the Oracle Human Resources product of Oracle E-Business Suite (component: Hierarchy Diagrammers). Supported versions that are affected are 12.1.1-12.1.3 and 12.2.3-12.2.9. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Human Resources. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Human Resources accessible data as well as unauthorized access to critical data or complete access to all Oracle Human Resources accessible data. CVSS 3.0 Base Score 8.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N).

CVE-2019-17571

Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j versions up to 1.2 up to 1.2.17.

CVE-2019-9167: Security Disclosures - Nagios

Cross-site scripting (XSS) vulnerability in Nagios XI before 5.5.11 allows attackers to inject arbitrary web script or HTML via the xiwindow parameter.

msrc-blog: Latest News

Mitigating NTLM Relay Attacks by Default