Follow

CVE-2021-44228 - Log4Shell


Welcome to Ecessa Support, we have a variety of technical information and tools for a variety of solutions. If you aren't finding a solution, or would like to talk to a technical support team member, please call 800-669-6242.

See Ecessa's full line of products and solutions

Ecessa Statement:

Ecessa products do not use Java or Log4j and are not vulnerable to this issue.

 

Blocking exploit attempts with Ecessa IDS/IPS:

Refer to IDS / IPS documentation for initial setup and configuration.  The rules that have been created specifically for CVE-2021-4428 are the following IDs:

2034647,2034648,2034649,2034650,2034651,2034652,2034653,2034654,2034655,2034656,2034657,2034658,2034659,2034660,2034661,2034662,2034663,2034664,2034665,2034666,2034667,2034668,2034699,2034670,2034671,2034672,2034673,2034674,2034676,2034700,2034701,2034702,2034703

To set this rules to drop traffic use the Signature Actions tab to create a rule with the Signature IDs listed above.

signature_action_log4j.png

 

Advisory source:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228

Description of vulnerability:

Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. In previous releases (>2.10) this behavior can be mitigated by setting system property "log4j2.formatMsgNoLookups" to &#8220;true&#8221; or by removing the JndiLookup class from the classpath (example: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class). Java 8u121 (see https://www.oracle.com/java/technologies/javase/8u121-relnotes.html) protects against remote code execution by defaulting "com.sun.jndi.rmi.object.trustURLCodebase" and "com.sun.jndi.cosnaming.object.trustURLCodebase" to "false".

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

0 Comments

Article is closed for comments.