This is quite a way to end the year with a resurgence of nasties of all types both biological and electronic!

There is way too much press about COVID, so here we will talk about the electronic nasty – Log4j – which seems to be VERY nasty!

Below are three sections:

A security notice from BUI, our Security and Cloud specialists.
A security notice from our development division, First Digital.
A paper published by RedmondMag on the last Patch Tuesday of the year and the Log4j vulnerability.

Notice from First Tech. Security Division, BUI

EXECUTIVE SUMMARY:

A newly discovered zero-day vulnerability in the widely used Java logging library Apache Log4j is easy to exploit and enables attackers to gain full control of affected servers.

On Dec. 9, 2021, a remote code execution (RCE) vulnerability in Apache log4j 2 was identified being exploited in the wild.

Public proof of concept (PoC) code was released and subsequent investigation revealed that exploitation was incredibly easy to perform.

By submitting a specially crafted request to a vulnerable system, depending on how the system is configured, an attacker is able to instruct that system to download and subsequently execute a malicious payload. Due to the discovery of this exploit being so recent, there are still many servers, both on-premises and within cloud environments, that have yet to be patched. Like many high severity RCE exploits, thus far, massive scanning activity for CVE-2021-44228 has begun on the internet with the intent of seeking out and exploiting unpatched systems.

We highly recommend that organizations upgrade to the latest version (2.15.0-rc2) of Apache log4j 2 for all systems.

Affected Software

A significant number of Java-based applications are using log4j as their logging utility and are vulnerable to this CVE. To the best of our knowledge, at least the following software may be impacted:

Apache Struts
Apache Druid
Apache Flink
ElasticSearch
Flume
Apache Dubbo
Logstash
Kafka
Spring-Boot-starter-log4j2
Apache Solr

Affected Version

Apache Log4j 2.x <= 2.15.0-rc1

Exploit

Exploit code for the CVE-2021-44228 vulnerability has been made publicly available. Any user input hosted by a Java application using the vulnerable version of log4j 2.x may be exposed to this attack, depending on how logging is implemented within the Java application.

Patch and Bypass

With the official Apache patch being released, 2.15.0-rc1 was initially reported to have fixed the CVE-2021-44228 vulnerability. However, a subsequent bypass was discovered. A newly released 2.15.0-rc2 version was in turn released, which protects users against this vulnerability.

Release log4j-2.15.0-rc2 · apache/logging-log4j2 · GitHub

Notice from First Tech. Development Division – First Digital

Multiple apps seem to use a version of the Java file, including Apache Tomcat, Cognos, PEGA, ePO, Predator, Forti. Be it 1.x or 2.x.

Versions 2.0 upward vulnerable. From 2.15 and newer it is safe. The fix could be to delete the file, to update from 2.x to 2.15 or newer or to change config files related to Java Virtual Machine. If 1.x, advised to update to 2.15 or newer.

For SQL 2019, the install places version 1.2.17 in these folders. Microsoft says that it does not use it, but it is still there. Best to delete it.

C:\Program Files\Microsoft SQL Server\150\DTS\Extensions\Common\Jars

C:\Program Files\Microsoft SQL Server (x86)\150\DTS\Extensions\Common\Jars

https://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation/

Microsoft’s Response to CVE-2021-44228 Apache Log4j 2 – Microsoft Security Response Center

First Digital has not yet found a way of updating to 2.15 or newer on SQL 2019 because you need to have the correct file for SQL and you need the zip command to update, which does not exist on all servers.

Microsoft has not released an update, nor has IBM.

RedmondMag News release

By Kurt Mackie

12/14/2021

Last “Patch Tuesday” of 2021

Microsoft on Tuesday released security patches for 67 common vulnerabilities and exploits, even as organizations are scrambling to address a Log4j flaw in Apache servers that's under active exploit.

Of Microsoft's December patch total, seven vulnerabilities are labeled "Critical" by security researchers. There are six "Important" vulnerabilities, but they've all been publicly exposed before Microsoft's Tuesday patch release, which ups risks for organizations.

In addition, one of those six Important vulnerabilities, namely CVE-2021-43890, a Windows AppX Installer spoofing flaw for Windows 10 systems, is known to have been exploited.

It's this month's zero-day vulnerability.

CVE-2021-43890 has been "linked to attacks associated with the Emotet/TrickBot/Bazaloader family," which was shut down in January but reemerged in November, according to Satnam Narang, staff research engineer at security solutions firm Tenable, via e-mail.

He explained how an attack might work, as follows:

To exploit this vulnerability, an attacker would need to convince a user to open a malicious attachment, which would be conducted through a phishing attack. Once exploited, the vulnerability would grant an attacker elevated privileges, particularly when the victim’s account has administrative privileges on the system. If patching isn't an option, Microsoft has provided some workarounds to protect against the exploitation of this vulnerability.

A nice overall summary of Microsoft's December patches can be found in this Trend Micro Zero Day Initiative post by Dustin Childs. Good commentary by Automox security experts can also be found in Automox's December "Patch Tuesday" post.

Also released this month were Adobe patches, Apple patches and Google Chrome patches.

Log4Shell Alerts

There's no end to the amount of alerts about a security flaw in Log4j. Alerts popped up on Friday, and have poured forth ever since. The volume of Log4j alerts seems almost to eclipse the scale of Microsoft's monthly "update Tuesday" patch event, which is generally a pretty big thing.

Log4j is a Java code logging utility overseen by the Apache Software Foundation that's widely used in Web servers. It's subject to remote code execution attacks by sending the server log messages, typically via HTTP requests. Attackers can use this method to direct Log4j's lookup function to a Lightweight Directory Access Protocol (LDAP) server that the attackers control.

Many organizations are affected by the Log4j vulnerability. Security solutions firm Huntress offered a short list, noting that millions of apps use it, including apps from "Apple, Twitter, Steam, Tesla, Apache (e.g. Apache Struts, Solr and Druid), Redis, ElasticSearch and video games (e.g. Minecraft)."

Attacks using the Log4j vulnerability are presently active. They are being labeled "Log4Shell," and denoted as CVE-2021-44228, a vulnerability that scores 10 (out of 10) on the Common Vulnerability Scoring System (CVSSS) threat ranking index.

Almost every organization that addresses software security has issued advice on the Log4j vulnerability, such as upgrading to Log4j version 2.15.0. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued a notice on Friday, followed by a "Guidance" post and a community-sourced repository. French security professional "SwitHak" has compiled a list of vendor and organizational advice on the Log4j issue in this GitHub post.

Organizations may not even know if they are using Log4j. Security solutions provider Trend has released a scanner tool to detect it in a computing environment. It also described the Log4Shell problem in this post.

Critical Microsoft Vulnerabilities

The seven Critical vulnerabilities in Microsoft's December patch bundle are all rated high on the CVSS index, with three having scores of 9.8. Here's a list of them:

CVE-2021-43215, an iSNS Server remote code execution (RCE) vulnerability (CVSS 9.8).
CVE-2021-43899, a Microsoft 4K Wireless Display Adapter RCE vulnerability (CVSS 9.8).
CVE-2021-43907, a Visual Studio Code Windows Subsystem for Linux extension RCE vulnerability (CVSS 9.8).
CVE-2021-43905, a Microsoft Office app RCE vulnerability (CVSS 9.6).
CVE-2021-42310, a Microsoft Defender for IoT RCE vulnerability (CVSS 8.1).
CVE-2021-43217, a Windows Encrypting File System RCE vulnerability (CVSS 8.1).
CVE-2021-43233, a Remote Desktop client RCE vulnerability (CVSS 7).

The iSNS Server vulnerability is yet another example, like Log4j, that organizations are subject to vulnerabilities in little-known third-party software components, according to Danny Kim, a principal architect at Virsec, via e-mail:

A recent CVE from Microsoft (CVE-2021-43215) regarding their iSNS server is another example of a RCE vulnerability found in 3rd party software. This vulnerability allows a user with a specially crafted input to execute arbitrary code on the host.

The iSNS Server vulnerability enables a "low complexity attack," according to Automox's Aleks Haugom. "A successful attack requires no user interaction and allows the attacker to execute arbitrary code," Haugom added.

Publicly Known Microsoft Vulnerabilities

The six Important publicly known vulnerabilities getting patches in this month's Microsoft bundle include the following (plus the above-described CVE-2021-43890 Windows AppX Installer flaw):

CVE-2021-43240, an NTFS Set Short Name elevation of privilege (EoP) vulnerability.
CVE-2021-43893, a Windows Encrypting File System EoP vulnerability.
CVE-2021-43883, a Windows Installer EoP vulnerability.
CVE-2021-43880, a Windows mobile device management EoP vulnerability.
CVE-2021-41333, a Windows Print Spooler EoP vulnerability.

IT pros may be experiencing some déjà vu with yet another Windows Print Spooler patch this month (think "PrintNightmare"). It's yet another one to patch, according to Automox's Chad McNaughton:

CVE-2021-41333 feels like a bad re-run, as it's yet another Windows Print Spooler vulnerability. Much like previous Print Spooler CVEs, this is a low-privilege/low-complexity, network-level remote code execution (RCE) vulnerability that requires no user interaction. Exploiting this vulnerability would allow an attacker to execute remote code on the targeted Windows device.

Year-End Tallies of Microsoft Patches

Microsoft issued patches for 887 CVEs this year, which represents "a 29% decrease from 2020," according to Trend Micro's count reported by Childs. He excluded some Edge patches released before update Tuesday in figuring that overall number.

Automox counted a total of 892 vulnerabilities patched by Microsoft this year, with 101 rated Critical and 23 known to have been exploited for the year. Microsoft's high point (or low point security wise) came in July, with a whopping 116 CVEs and 12 Critical vulnerabilities addressed, according to Automox, which offers a nice graph showing Microsoft's annual patch performance.

As usual, Microsoft is mum on counting its own patches. Microsoft's official publication is its sprawling Security Update Guide, which offers boilerplate descriptions of the fixes. Microsoft's "Release Notes" for December summarizes the affected software and lists "known issues," plus mitigations, workarounds and FAQs.