https://community.splunk.com/t5/Splunk-AppDynamics/Log4j-vulnerabilities-version-2-17-1-and-before/m-p/723117#M3537 <P>Community,</P><P>If have been out on a deserted island, there were a few NIST vulnerabilities reported that has impacted AppDynamics controllers (saas and on-prem) and a number of Java based agents.&nbsp;&nbsp;</P><P>The main reason why I am authoring this thread for the community is to hopefully offer my perspective but also humbly request that if I got something wrong or missed something, you take the five minutes to call it out and help myself/others understand better the nature of this beast.</P><P>Vulnerabilities seem to be falling into three buckets.</P><P>1. Directly - Has the Apache log4j jars (core) with a version that is impacted</P><P>2. Indirectly - A library jar has the log4j jars within it (nested jars)</P><P>3. Diverged - At some point the log4j source was branched and modified to a custom version</P><P>1. Case - machine agent within the &lt;agent home&gt;/lib/log4j-core-2.x.jar</P><P>2. Don't have a good example of this for AppDynamics</P><P>3. Case - machine agent within the &lt;agent-home&gt;/lib/singularity-log4j-1.2.15.6.jar within the&nbsp;</P><P>singularity-log4j-1.2.15.6.jar\com\singularity\util\org\apache\log4j\.</P><P>&nbsp; &nbsp; &nbsp; &nbsp; Within the third example there is a NOTICE file in the META-INF folder that has "Copyright 2017. AppDynamics modified from Log4j2.&nbsp; So the Log4J was after the end of life of 1.2.x and without a different detection method, we are unsure if the vulnerabilities that plague us are within this variant (yes, Loki reference)</P><P>Now we can get into the detection methods.&nbsp;</P><P><STRONG>By File Name</STRONG></P><P>For case 1, it is a simple directory listing and search for log4j*.&nbsp; Case 2 gets a bit messy since each of the JAR files have to be listed to search for Log4j.&nbsp; &nbsp;The third case, is much like case 2, but we get into a mess since as exampled above the file name is mauled up with "singularity".</P><P><STRONG>By JVM Class presence</STRONG></P><P>For each of the three cases, this method requires another Java class is injected into the JVM that can then attempt to access the log4j vulnerability, be that to execute a JNDI lookup or to capture and de-seralize a message packet.&nbsp;&nbsp;</P><P><STRONG>By Directed Attack</STRONG></P><P>Some of the vulnerabilities have exploits in the wild and those exploits have already been deployed against a number of targets with very destructive results.</P><P>Now the majority of the vulnerabilities scan vendors are continuing to fine tune their scan patterns but to be 100% sure, IMHO, there really needs to have a Java class injection that pulls the in memory Log4J class references and probes them, especially with the diverged variants.</P><P>------- Laundry list of vulnerabilities --------------</P><P><A href="https://nvd.nist.gov/vuln/detail/CVE-2021-44228" target="_blank" rel="noopener nofollow noreferrer">https://nvd.nist.gov/vuln/detail/CVE-2021-44228</A>&nbsp; &nbsp; &nbsp; &nbsp;10.0 Critical</P><P>Impacts log4J 2.x</P><P><A href="https://nvd.nist.gov/vuln/detail/CVE-2021-45046" target="_blank" rel="noopener nofollow noreferrer">https://nvd.nist.gov/vuln/detail/CVE-2021-45046</A>&nbsp; &nbsp; &nbsp; &nbsp;9.0 Critical&nbsp;</P><P>Impacts log4j 2.16.x</P><P><A href="https://nvd.nist.gov/vuln/detail/CVE-2021-45105" target="_blank" rel="noopener nofollow noreferrer">https://nvd.nist.gov/vuln/detail/CVE-2021-45105</A>&nbsp; &nbsp; &nbsp; &nbsp;5.8 Medium&nbsp;&nbsp;</P><P>Impacts log4j 2.17.x</P><P><A href="https://nvd.nist.gov/vuln/detail/CVE-2021-4104" target="_blank" rel="noopener nofollow noreferrer">https://nvd.nist.gov/vuln/detail/CVE-2021-4104</A>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 7.5 HIGH</P><P>Impacts log4j 1.2.x - basically 1.2 end of life in 2015 but there was another vulnerability found.&nbsp; "<SPAN>deserialization of untrusted data when the attacker has write access to the Log4j configuration"</SPAN></P><P><SPAN>Thank you,</SPAN></P><P><SPAN>Billy Cole</SPAN></P> Tue, 11 Jan 2022 18:58:27 GMT Billy_Cole1 2022-01-11T18:58:27Z https://community.splunk.com/t5/Splunk-AppDynamics/Log4j-vulnerabilities-version-2-17-1-and-before/m-p/723117#M3537 <P>Community,</P><P>If have been out on a deserted island, there were a few NIST vulnerabilities reported that has impacted AppDynamics controllers (saas and on-prem) and a number of Java based agents.&nbsp;&nbsp;</P><P>The main reason why I am authoring this thread for the community is to hopefully offer my perspective but also humbly request that if I got something wrong or missed something, you take the five minutes to call it out and help myself/others understand better the nature of this beast.</P><P>Vulnerabilities seem to be falling into three buckets.</P><P>1. Directly - Has the Apache log4j jars (core) with a version that is impacted</P><P>2. Indirectly - A library jar has the log4j jars within it (nested jars)</P><P>3. Diverged - At some point the log4j source was branched and modified to a custom version</P><P>1. Case - machine agent within the &lt;agent home&gt;/lib/log4j-core-2.x.jar</P><P>2. Don't have a good example of this for AppDynamics</P><P>3. Case - machine agent within the &lt;agent-home&gt;/lib/singularity-log4j-1.2.15.6.jar within the&nbsp;</P><P>singularity-log4j-1.2.15.6.jar\com\singularity\util\org\apache\log4j\.</P><P>&nbsp; &nbsp; &nbsp; &nbsp; Within the third example there is a NOTICE file in the META-INF folder that has "Copyright 2017. AppDynamics modified from Log4j2.&nbsp; So the Log4J was after the end of life of 1.2.x and without a different detection method, we are unsure if the vulnerabilities that plague us are within this variant (yes, Loki reference)</P><P>Now we can get into the detection methods.&nbsp;</P><P><STRONG>By File Name</STRONG></P><P>For case 1, it is a simple directory listing and search for log4j*.&nbsp; Case 2 gets a bit messy since each of the JAR files have to be listed to search for Log4j.&nbsp; &nbsp;The third case, is much like case 2, but we get into a mess since as exampled above the file name is mauled up with "singularity".</P><P><STRONG>By JVM Class presence</STRONG></P><P>For each of the three cases, this method requires another Java class is injected into the JVM that can then attempt to access the log4j vulnerability, be that to execute a JNDI lookup or to capture and de-seralize a message packet.&nbsp;&nbsp;</P><P><STRONG>By Directed Attack</STRONG></P><P>Some of the vulnerabilities have exploits in the wild and those exploits have already been deployed against a number of targets with very destructive results.</P><P>Now the majority of the vulnerabilities scan vendors are continuing to fine tune their scan patterns but to be 100% sure, IMHO, there really needs to have a Java class injection that pulls the in memory Log4J class references and probes them, especially with the diverged variants.</P><P>------- Laundry list of vulnerabilities --------------</P><P><A href="https://nvd.nist.gov/vuln/detail/CVE-2021-44228" target="_blank" rel="noopener nofollow noreferrer">https://nvd.nist.gov/vuln/detail/CVE-2021-44228</A>&nbsp; &nbsp; &nbsp; &nbsp;10.0 Critical</P><P>Impacts log4J 2.x</P><P><A href="https://nvd.nist.gov/vuln/detail/CVE-2021-45046" target="_blank" rel="noopener nofollow noreferrer">https://nvd.nist.gov/vuln/detail/CVE-2021-45046</A>&nbsp; &nbsp; &nbsp; &nbsp;9.0 Critical&nbsp;</P><P>Impacts log4j 2.16.x</P><P><A href="https://nvd.nist.gov/vuln/detail/CVE-2021-45105" target="_blank" rel="noopener nofollow noreferrer">https://nvd.nist.gov/vuln/detail/CVE-2021-45105</A>&nbsp; &nbsp; &nbsp; &nbsp;5.8 Medium&nbsp;&nbsp;</P><P>Impacts log4j 2.17.x</P><P><A href="https://nvd.nist.gov/vuln/detail/CVE-2021-4104" target="_blank" rel="noopener nofollow noreferrer">https://nvd.nist.gov/vuln/detail/CVE-2021-4104</A>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 7.5 HIGH</P><P>Impacts log4j 1.2.x - basically 1.2 end of life in 2015 but there was another vulnerability found.&nbsp; "<SPAN>deserialization of untrusted data when the attacker has write access to the Log4j configuration"</SPAN></P><P><SPAN>Thank you,</SPAN></P><P><SPAN>Billy Cole</SPAN></P> Tue, 11 Jan 2022 18:58:27 GMT https://community.splunk.com/t5/Splunk-AppDynamics/Log4j-vulnerabilities-version-2-17-1-and-before/m-p/723117#M3537 Billy_Cole1 2022-01-11T18:58:27Z https://community.splunk.com/t5/Splunk-AppDynamics/Log4j-vulnerabilities-version-2-17-1-and-before/m-p/723118#M3538 <P><A href="https://nvd.nist.gov/vuln/detail/CVE-2021-4104" target="_blank" rel="noopener nofollow noreferrer">https://nvd.nist.gov/vuln/detail/CVE-2021-4104</A>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 7.5 HIGH</P><P>Impacts log4j 1.2.x - basically 1.2 end of life in 2015 but there was another vulnerability found.&nbsp; "<SPAN>deserialization of untrusted data when the attacker has write access to the Log4j configuration"</SPAN></P><P><SPAN>This Log4J instance is within the singularity&nbsp;jars, and that version of Log4j was code branched in 2017 and does not include the JMSAppender which is the affected class for this vulnerability.</SPAN></P><P>“<EM>Machine Agent is <STRONG>NOT</STRONG> vulnerable to this CVE because the singularity0log4j doesn’t bundle JMSAppender.”</EM></P> Wed, 12 Jan 2022 13:24:57 GMT https://community.splunk.com/t5/Splunk-AppDynamics/Log4j-vulnerabilities-version-2-17-1-and-before/m-p/723118#M3538 Billy_Cole1 2022-01-12T13:24:57Z https://community.splunk.com/t5/Splunk-AppDynamics/Log4j-vulnerabilities-version-2-17-1-and-before/m-p/723119#M3539 <P>Hi&nbsp;<A href="https://community.appdynamics.com/t5/user/viewprofilepage/user-id/152794">@Billy.Cole</A>,</P> <P>Thanks for sharing all this wonderful info on the Community!</P> <P>We'd like to note and share some additional resources for yourself or anyone else who comes across this post.</P> <DIV class="p-rich_text_section">&nbsp;</DIV> <OL class="p-rich_text_list p-rich_text_list__ordered" data-stringify-type="ordered-list" data-indent="0" data-border="0"> <LI data-stringify-indent="0" data-stringify-border="0">Link to the<SPAN>&nbsp;</SPAN><A class="c-link" tabindex="-1" href="https://docs.appdynamics.com/display/PAA/Security+Advisory%3A+Apache+Log4j+Vulnerability" target="_blank" rel="noopener noreferrer nofollow" data-stringify-link="https://docs.appdynamics.com/display/PAA/Security+Advisory%3A+Apache+Log4j+Vulnerability" data-sk="tooltip_parent" data-remove-tab-index="true">Security Advisory: Apache Log4j Vulnerability</A></LI> <LI data-stringify-indent="0" data-stringify-border="0"><A class="c-link" tabindex="-1" href="https://docs.appdynamics.com/display/PAA/Security+Advisory%3A+CVE-2021-45105+in+Apache+Log4j" target="_blank" rel="noopener noreferrer nofollow" data-stringify-link="https://docs.appdynamics.com/display/PAA/Security+Advisory%3A+CVE-2021-45105+in+Apache+Log4j" data-sk="tooltip_parent" data-remove-tab-index="true">Security Advisory: CVE-2021-45105 in Apache Log4j</A></LI> <LI data-stringify-indent="0" data-stringify-border="0">Community News &amp; Announcements <A href="https://community.appdynamics.com/t5/News-Announcements/bg-p/news-and-announcements/label-name/privacy%20and%20security" target="_self">Privacy and Security label</A>&nbsp;(which has current info about Log4j)</LI> </OL> <P>Feel free to comment on any of those existing pieces of content as well.&nbsp;</P> <P>Thanks again for sharing!</P> Wed, 12 Jan 2022 19:14:37 GMT https://community.splunk.com/t5/Splunk-AppDynamics/Log4j-vulnerabilities-version-2-17-1-and-before/m-p/723119#M3539 iamryan 2022-01-12T19:14:37Z