-----BEGIN PGP SIGNED MESSAGE-----
AUSCERT Security Bulletin
RCE 0-day exploit found in log4j
4 January 2022
AusCERT Security Bulletin Summary
Operating System: Windows
UNIX variants (UNIX, Linux, OSX)
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Denial of Service -- Remote/Unauthenticated
CVE Names: CVE-2021-45105 CVE-2021-45046 CVE-2021-44832
Revision History: January 4 2022: Added additional patch information and CVE to advisory
December 20 2021: Added additional patch information and CVE to advisory
December 16 2021: Added additional patch information and CVE to advisory
December 13 2021: CVE added to advisory and reference URL corrected
December 10 2021: Updated Overview and Mitigation details
December 10 2021: Initial Release
log4j, has been reported to be vulnerable to remote code execution.
2.0 <= Apache log4j2 <= 2.14.1 
JDK versions greater than 6u211, 7u201, 8u191, and 11.0.1
are not affected by the LDAP attack vector
Internet wide scanning for Apache Log4j has been reported.
UPDATE: all versions of log4j from 2.0-beta9 through 2.12.1 and 2.13.0 through 2.15.0
are listed as being vulnerable to a new CVE - CVE-2021-45046. 
UPDATE: Apache log4j2 versions 2.0-alpha1 through 2.16.0 were found vulnerable to a new CVE - CVE-2021-45105. 
UPDATE: Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) were found vulnerable a new CVE - CVE-2021-44832 
Lunasec has gathered information about a PoC code that may result in log4j,
a popular java logging package, to execute code.
Currently no CVE or CVSS are issued about this vulnerability and
the impact/vector provided is a guidance.
Media reports of the vulnerability is circulating.
A patch is made available in advance of the official log4j website.
CVE-2021-44228 has been assigned to this vulnerability 
CVE-2021-45046 was also assigned to this vulnerability. It has been classified as DOS. 
There are reports that CVE-2021-45046 can also be exploited to exfiltrate data if log4j is left at patch level 2.15.0. 
CVE-2021-45105 has been identified which enables the attacker to perform Denial of Service vulnerability on the affected system. 
CVE-2021-44832 has been identified which enables the attacker with permission to modify the logging configuration resulting in Remote Code Execution. 
The following is suggest as a mitigation step by Lunasec.
"Start your server with log4j2.formatMsgNoLookups set to true,
or update to log4j-2.15.0-rc1 or later.
(Kudos to @80vul for tweeting)"
Also a patch is available in the absence of the log4j website.
UPDATE: log4j-2.15.0-rc2 is available 
UPDATE: log4j-2.16.0 is available and is the recommended patch level to address both CVEs.  
log4j 2.12.2 (Java 7) and log4j 2.16.0 (Java 8) was released to address CVE-2021-45046. 
log4j 2.17.0 (Java 8) was released to address CVE-2021-45105. 
log4j 2.17.1 (Java 8), 2.12.4 (Java 7) and 2.3.2 (Java 6) was released to address CVE-2021-44832. 
 RCE 0-day exploit found in log4j, a popular Java logging package
 Worst Apache Log4j RCE Zero day Dropped on Internet
 Minecraft and other apps face serious threat from Log4j code
 Apache Log4j Security Vulnerabilities
 GreyNoise.io 2 unique IP's scanning the internet for the new Apache
 Log4j 2.15.0 stills allows for exfiltration of sensitive data
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
Australian Computer Emergency Response Team
The University of Queensland
Internet Email: email@example.com
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----