Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

(Updated 21-DEC) Security Advisory - Apache Log4j CVE-2021-44228, CVE-2021-45046, CVE-2021-45105

Microsoft

Microsoft is investigating the remote code execution vulnerability related to Apache Log4j (a logging tool used by many Java-based applications) disclosed on 9 Dec 2021. Mitre has designated this vulnerability as CVE-2021-44228 with a severity rating of 10.0. This was followed by vulnerabilities disclosed on Dec 14th 2021 (CVE-2021-45046) potentially affecting non-standard configurations and Dec 16th 2021 (CVE-2021-45105).  

 

For the latest status of Microsoft’s investigation, please see Microsoft’s Response to CVE-2021-4428 Apache Log4j 2.

 

This advisory will continue to be updated as new information becomes available. 

 

 

(Last Updated 21-DEC-2021)   

 

The advisory was updated to reflect that version 10.5.5 has been released with the latest Apache Log4j 2.17.0 and validated to mitigate CVE-2021-44228, CVE-2021-45046 and CVE-2021-45105. 

 

We strongly recommend our customers implement the following mitigation steps based on an internal analysis of possible attack vectors.  

 

 

Mitigation Guidance for Microsoft Defender for IoT 

For Defender for IoT security appliances (OT network sensors and on-premises management console): 

  1. Deploy the latest software release
    As of version 10.5.4, all components that were affected by CVE-2021-44228, CVE-2021-45046  and CVE-2021-45105 have been upgraded and secured. Customers are strongly encouraged to apply this update as soon as possible. 

  2. Manual Workaround 
    The workarounds described below will mitigate CVE-2021-44228, CVE-2021-45046 and CVE-2021-45105, and can be used until upgrading to version 10.5.4 or above. 

    > OT Network Sensor 
    Using SSH, login as an administrator with full privileges. Execute the following: 
    echo "find /var/cyberx/components/ -name \"start.sh\" -exec grep -L Dlog4j2.formatMsgNoLookups=true {} \; | xargs -I '{}' sed -i '/java_args.append(\"-Dlog4j.configurationFile=.*)/a java_args.append(\"-Dlog4j2.formatMsgNoLookups=true\")' {} && sed -i 's/args = \[\x27java\x27, \x27-Dlog4j\.configurationFile=\/var\/cyberx\/properties\/log4j2-active-tool\.xml\x27, \x27-jar\x27,/args = \[\x27java\x27, \x27-Dlog4j\.configurationFile=\/var\/cyberx\/properties\/log4j2-active-tool\.xml\x27, \x27-Dlog4j2\.formatMsgNoLookups=true\x27, \x27-jar\x27,/' /usr/local/bin/cyberx-xsense-cip-query-controllers && monit restart all" | sudo at now + 1 minutes ​

    > On Premises Management Console 
    Using SSH, login as an administrator with full privileges. Execute the following: 
    echo "find /var/cyberx/components/ -name \"start.sh\" -exec grep -L Dlog4j2.formatMsgNoLookups=true {} \; | xargs -I '{}' sed -i '/java_args.append(\"-Dlog4j.configurationFile=.*)/a java_args.append(\"-Dlog4j2.formatMsgNoLookups=true\")' {} && monit restart all" | sudo at now + 1 minutes ​

    If you need further assistance
    Please
    open a support ticket to contact our support team. 


The Defender for IoT cloud service does not use log4j and is not vulnerable to any active attack vector caused by CVE-2021-44228 and CVE-2021-45046. 

 

 

Latest Threat Intelligence Update for Monitoring CVE-2021-44228, CVE-2021-45046, CVE-2021-45105

Microsoft has released a dedicated Threat Intelligence update package for detecting Log4j exploit attempts on the network (example below).  

 

arielsgv_0-1639430535785.png 

 

The package is available for download from the Microsoft Defender for IoT portal (Click Updates, then Download file).  

 

arielsgv_1-1639679702161.png

MD5 Hash - 512081a7ce19e436c9ff7ed672024354

 

Update your system with the latest TI package: 

Microsoft Defender for IoT now pushes new threat intelligence packages to cloud-connected sensors upon release, click here for more information. Starting with sensor version 10.3, users can automatically receive up-to-date threat intelligence packages through Microsoft Defender for IoT. Working with automatic updates reduces operational effort and ensures greater security. Enable automatic updating on the Defender for IoT portal by onboarding your cloud-connected sensor with the toggle for Automatic Threat Intelligence Updates turned on. 

 

 

Additionally, the package can be downloaded from the Microsoft Defender for IoT portal, under Updates: 

 

arielsgv_2-1639429885589.png

To update a package on a single sensor: 

  1. Go to the Microsoft Defender for IoT Updates page. 
  2. Download and save the Threat Intelligence package. 
  3. Sign into the sensor console. 
  4. On the side menu, select System Settings. 
  5. Select Threat Intelligence Data, and then select Update. 
  6. Upload the new package. 

To update a package on multiple sensors simultaneously: 

  1. Go to the Microsoft Defender for IoT Updates page. 
  2. Download and save the Threat Intelligence package. 
  3. Sign into the management console. 
  4. On the side menu, select System Settings. 
  5. In the Sensor Engine Configuration section, select the sensors that should receive the updated packages. 
  6. In the Select Threat Intelligence Data section, select the plus sign (+). 
  7. Upload the package. 

For more information, please review Update threat intelligence data | Microsoft Docs 

 

For further information

Follow the MSRC blog for more information, which is updated with information and protection details as they become available. For a more in-depth analysis of the vulnerability, exploitation, detections, and mitigations, consult the RiskIQ (acquired by Microsoft in August 2021) analysis. 

 

0 Replies