One Article Review
| Source |  CybeReason |
|---|---|
| Identifiant | 3889904 |
| Date de publication | 2021-12-17 15:00:00 (vue: 2021-12-27 14:06:26) |
| Titre | UPDATED: Cybereason Log4Shell Vaccine Offers Permanent Mitigation Option for Log4j Vulnerabilities (CVE-2021-44228 and CVE-2021-45046) |
| Texte |
UPDATE 12/17/21: The Logout4Shell Vaccine has been updated to add a persistent option in addition to the existing one which reverted upon server restart.
The previous version of the Vaccine used the Log4Shell vulnerability to remove the JNDI interpolator entirely from all logger contexts to prevent the vulnerability from being exploited in the running JVM (server process). This update not only fixes the vulnerability, but also edits the jar file on disk to remove the JndiLookup class to permanently mitigate the Log4Shell vulnerability on a running server. It also performs additional changes on the plugin registry.
Due to the nature of the permanent solution, there is nominal risk involved, so the Vaccine offers the option to execute the completely safe but temporary solution, or the slightly more risky but permanent solution. The documentation has been updated to reflect that we now support both options.
The Log4shell vulnerability still requires patching. This updated Logout4Shell mitigation option can provide security teams the time required to roll out patches while reducing the risk from exploits targeting the Log4j vulnerability.
The latest version is pushed to our github at https://github.com/Cybereason/Logout4Shell
UPDATE 12/15/21: Our initial vaccine approach was to set the formatMsgLookup flag to "true" and reconfigured the Log4j logger, which supported versions >= 2.10.0. In this updated Vaccine technique, in order to support older versions < 2.10.0, the "flag" no longer exists and instead it removes the JNDI interpolator entirely from all logger contexts.
The update also pushes an additional fix to make this removal behavior the "default" even in cases where the "flag" is still supported. We still highly recommend upgrading to 2.16.0, or removing the JNDI class entirely from each server if upgrading to the latest patched version is not possible for your organization at this time.
This updated Vaccine version also mitigates the most recent lower severity vulnerability disclosure (CVE-2021-45046) which was patched in log4j version 2.16.0. This vulnerability showed that in certain scenarios, for example, where attackers can control a thread-context variable that gets logged, even the flag log4j2.formatMsgNoLookups is insufficient to mitigate Log4shell.
The text below has been updated to reflect the latest guidance and changes to the temporary workaround Vaccine developed by Cybereason.
=============================================================
Cybereason researchers have developed and released a “vaccine” for the Apache Log4Shell vulnerabilities (CVE-2021-44228) and (CVE-2021-4504 |
| Envoyé | Oui |
| Condensat | 12/15/21: 12/17/21: 2021 44228 45046 ============================================================= add addition additional all also announced any apache approach at https://github attackers available basic been behavior being below both but can cases certain changes class com/cybereason/logout4shell company completely context contexts control cve cybereason default developed disclosure disk documentation due each edits entirely even example execute existing exploited exploits file fix fixes flag flag log4j2 formatmsglookup formatmsgnolookups freely from gets github guidance has have highly impacted implement initial insufficient interpolator involved jar java jndi jndilookup jvm latest log4j log4shell logged logger logout4shell lower make mitigate mitigates mitigation more most nature nominal none not now offers older one only option options order organization out patched patches patching performs permanent permanently persistent plugin possible prevent previous previously process products provide pushed pushes recent recommend reconfigured reducing reflect registry relatively released removal remove removes removing required requires researchers restart reverted risk risky roll running safe scenarios security server services set severity showed simple skills slightly solution support supported targeting teams technique temporary text thread time true update updated updated: upgrading upon used vaccine variable version versions vulnerabilities vulnerability where which workaround your “vaccine” |
| Tags | Vulnerability |
| Stories | |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.