CVE-2021-44228: Log4j

On Dec. 9, 2021, a severe remote code exploit (RCE) vulnerability, “Log4Shell”,  was disclosed in the log4j, a logging library maintained by the Apache Foundation and used by countless Java applications over the world. What makes this vulnerability more dangerous than most is the widespread adoption of the library across a significant number of applications. This bug doesn’t affect just a single service or product, it affects any service or product that uses the Log4j2 API, which is a lot. An attacker can create a malicious payload that tricks a server into loading executable code from an attacker-controlled location, resulting in remote code execution (RCE) with the permission levels of the user running the service.

It is difficult to directly scan for log4j because it is not a service or application but rather a library integrated into many other applications. As such, we can only scan for applications that we know use the library. Censys has decided to add new findings in incremental updates as more indicators are found and vendors report their results. In the interest of time, we have also decided to only cover software and services with high visibility and verifiable vulnerabilities (developer confirmation).

Since information on the impact of this vulnerability is in some ways vast but in other ways limited, Censys will update this post regularly with vulnerable software as news trickles in. The reader should note that not everything we point out is susceptible, and not everything vulnerable is listed. Below, we discuss the most popular affected software we’ve found Internet-wide:

Apache Solr

Quick Links

• Apache Solr Annoucement 
• Censys Search Query

First up is Apache Solr. Solr is an open-source Java platform that utilizes the Lucene search engine to provide RESTful document indexing and searching. On Dec. 10, 2021, the Solr team confirmed that the project was vulnerable to this attack for versions 7.4.0 to 7.7.3 and 8.0.0 through 8.11.0. Versions before 7.4 do not use log4j2; instead, utilize an older log4j library which may be vulnerable for Solr installs with custom logging configurations.

Censys can identify Solr services based on the Solr Administrative Dashboard by using the HTML title of “Solr Admin” and matching it against different elements in the HTTP response body that seem to indicate what version is running. For example, the following HTML elements render the tagged version of the running software (note the “?_=8.9.0” at the end of each link):

<link rel="shortcut icon" type="image/x-icon" href="img/favicon.ico?_=8.9.0">

With the combination of these two patterns, we have found that out of the 2,399 unique instances we found running, and of those, the number of services found to fall within the log4j2 vulnerable range is 1,398.

We’ve found that out of the 2,399 unique Solr instances on the public Internet, 1,398 servers use vulnerable versions and are likely vulnerable to exploitation. Below, we show the known vulnerable versions and the number of services indexed by Censys.

If the version of Solr was older than 7.4, while not vulnerable by default, can be made vulnerable if an administrator has custom logging configured. So as a cautionary measure, the chart below depicts all known versions of Apache Solr that Censys was able to locate.

Solr is a backend database engine not intended to be publicly exposed, and we encourage operators to restrict public access to Solr regardless of the version running.

UniFi

Quick Links

• UniFi Announcement
• Censys Search Query

The UniFi Network Application runs on the Cloud Key or Cloud Controller product, which allows a user to administer their UniFi gear over the internet. UniFi developers have noted in their statement that the following versions of the software include a vulnerable version of log4j2:

• 6.5.54 and earlier
• 6.4.54 and earlier
• 6.3.51 and earlier
• 6.2.26 and earlier
• 6.1.71 and earlier
• 6.0.45 and earlier
• 5.14.25 and earlier
• 5.13.33 and earlier
• 5.12.72 and earlier
• 5.11.52 and earlier
• 5.10.27 and earlier
• 5.9.33 and earlier
• 5.8.30 and earlier
• 5.7.28 and earlier
• 5.6.42 and earlier

There are currently two ways to determine the exact version of an UniFi device. Older 5.x versions will include the version in the body of the main dashboard as the value of the following string: “window.unifiConfig.version”. Newer 6.x versions reference a filename prefixed with “angular” and suffixed with a unique hash. An analyst can use this hash to map the URI back to the actual version of the software; for example, “/manage/angular/g1bfe798f1/js/index.js” can be mapped to version 6.1.70.0.

Note: Readers can find a list of URI to version mappings at the end of this document.

Using this fingerprint along with the hash mappings, Censys determined that there were 85,328 potentially vulnerable UniFi Network services on the internet, with only 1,876 utilizing the latest 6.5.54 version of the software. The above bar chart shows the vulnerable versions and the number of discovered services. Although there has yet to be a working exploit for UniFi devices specifically, it is recommended that users upgrade and consider whether they need to have publicly exposed UniFi services.

Metabase

Quick Links

• Metabase Announcement
• Censys Search Query

Metabase is an open-source reporting product used for creating charts and dashboards. At the time of writing, Censys could not find any announcement from Metabase. Still, there have been several new tags to the Metabase Github repository in which reference fixes for this CVE:

• v1.40.7
• v1.39.7
• v1.38.6
• v0.41.4
• v0.40.7
• v0.39.7
• v0.38.6

Below is a chart displaying the different versions of Metabase we were able to identify, along with the number of services found for each version.

Obtaining the exact version for a Metabase install is simple as the service embeds the git tag and release branch as a text blob in the body of the landing page. By searching for the Metabase CPE in Censys, we can grab the contents of the service, which contain HTML elements like the following:

"version":{"date":"2021-08-03","tag":"v0.40.2",branch":"release-x.40.x", hash":"b884d29"}

By parsing out the version from this data, Censys has found that 19,287 services potentially use a vulnerable version of the Metabase software. Below are the top 10 versions of Metabase Censys found running on the internet.

Pagerduty Rundeck

Quick Links

• Rundeck Announcement
• Censys Search Query

On December 11th, 2021, Rundeck by Pagerduty released a statement that versions 3.4.6 and prior were vulnerable to the log4j attack. At the time of writing, Censys was able to find 1,274 services that self-identify as a Rundeck instance and only four hosts that are running the patched 3.4.7 version of the software. To determine the exact version of the software, each landing page for the administrative panel will include a link to the software documentation, which consists of the version of the currently running service. For example:

<a href="https://docs.rundeck.com/3.3.0?utm_source=rundeckapp”>

Below is a chart of all discovered Rundeck service versions and the number of hosts associated with each.

Neo4j

Quick Links

• Neo4j Developer Announcement
• Censys Search Query

Neo4j is a popular graph database system that includes an ACID interface for graph storage and analysis. Neo4j developers have acknowledged that any version after 4.2 included a vulnerable version of the Log4j2 package, and until a full release has been made, recommends the following configurations be put in place in “neo4j.conf”:

dbms.jvm.additional=-Dlog4j2.formatMsgNoLookups=true

dbms.jvm.additional=-Dlog4j2.disable.jmx=true

At the time of writing, Censys was able to identify over 4,000 services that identify as a neo4j service. Below is a chart that shows vulnerable versions along with a count of services found.

What can I do about it?

Censys continues to monitor the situation and build out new fingerprints and risks for our ASM customers as more reports of vulnerable software come in. Please refer to any one of the community tailored lists of vulnerable components and applications to verify whether any assets are susceptible to this attack.

Censys ASM customers now have access to several risks which detect software that has been listed as vulnerable to the log4j attack. Any software below includes a version range are services that Censys is able to extract versions from.

• Apache Solr: (can detect vulnerable versions 7.4.0 – 7.7.3, and 8.0.0 – 8.11.0
• UniFi Network Application: (< 6.5.54, < 6.3.51, < 6.2.26, < 6.1.71, < 6.0.45, < 5.14.25, ` < 5.13.33`, < 5.12.72, < 5.11.52, < 5.10.27, < 5.9.33, < 5.8.30, < 5.7.28, < 5.6.42
• Metabase: < 1.40.7, < 1.39.7, < 1.38.6, < 0.41.4, < 0.40.7, < 0.39.7, < 0.38.6
• PagerDuty Rundeck: < 3.4.7
• Neo4j: >= 4.2
• VMWare Horizon
• VMWare VCenter Server
• VMWare Site Recovery Manager
• Apache Druid
• Apache Flink
• Sonicwall Email Security
• Solarwinds
• Tableau Server
• Graylog
• Wowza Streaming Engine
• Apache OpenShift
• Cloudera Ambari
• Apache James
• Connectwise Control
• Cloudera Jetty
• Avaya
• Apache Coyote
• CPanel
• Elasticsearch
• Cisco IMC
• JAMF
• RedHat JBOSS

References

• Community List of Affected log4j2 Applications
• Community List of Affected log4j2 Components
• Cloudflare’s Log4j2 Analysis
• BlueTeam CheatSheet for Log4Shell
• MITRE’s entry for CVE-2021-44228
• Apache Log4j Security Vulnerabilities
• Apache Log4j Download

UniFi 6.x URI to Version Mappings