CVE-2021-44228 Log4j : Add JAVA_TOOL_OPTIONS mitigation to Environment variables (Windows)
Log In or Register to download the BES file, and more.

0 Votes

Description

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228

Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. In previous releases (>2.10) this behavior can be mitigated by setting system property "log4j2.formatMsgNoLookups" to "true" or by removing the JndiLookup class from the classpath (example: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class). Java 8u121 (see https://www.oracle.com/java/technologies/javase/8u121-relnotes.html) protects against remote code execution by defaulting "com.sun.jndi.rmi.object.trustURLCodebase" and "com.sun.jndi.cosnaming.object.trustURLCodebase" to "false".

While it is very much advised to update all affected applications to make use of the corrected Log4j 2.15.0 or higher; or update the individual application to configure log4j2.formatMsgNoLookups=true, there is at least some measure of attack surface reduction that can be performed system-wide by applying the value to the JAVA_TOOL_OPTIONS environment variable.

This method is limited, as any Java application may override the JAVA_TOOL_OPTIONS environment as part of its startup, but this Fixlet may provide some measure of improvement.  Additionaly these may only be effective with specific versions of Java or Log4j.

Guidance on these values is taken from

This Fixlet applies the following Envrionment Variable values on Windows:

  • JAVA_TOOL_OPTIONS = -Dlog4j.formatMsgNoLookups=true (preserving any existing entries)
  • JDK_JAVA_OPTIONS = -Dlog4j.formatMsgNoLookups=true (preserving any existing entries)
  • _JAVA_OPTIONS = -Dlog4j.formatMsgNoLookups=true (preserving any existing entries)
  • LOG4J_FORMAT_MSG_NO_LOOKUPS = true (overwriting any existing entry)



Property Details

ID26898
StatusAlpha - Code that was just developed
TitleCVE-2021-44228 Log4j : Add JAVA_TOOL_OPTIONS mitigation to Environment variables (Windows)
DomainBESC
SourceInternal
Source Release Date12/13/2021 12:00:00 AM
KeywordsCVE, CVE-2021-44228, Log4j, vulnerability, environment, windows
Added by on 12/14/2021 9:51:29 AM
Last Modified by on 12/14/2021 9:51:29 AM
Counters 830 Views / 22 Downloads
User Rating 1 star 2 star 3 star 4 star 5 star * Average over 0 ratings. ** Log In or Register to add your rating.

Relevance

Used in 16 fixlets and 16 analyses   * Results in a true/false
Show indented relevance
windows of operating system AND (if exists property "in proxy agent context" then not in proxy agent context else true)
Used in 1 fixlet   * Results in a true/false
Show indented relevance
not exists values "JAVA_TOOL_OPTIONS" whose (it as string contains "-Dlog4j.formatMsgNoLookups=true") of key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" of registry as string OR not exists values "JDK_JAVA_OPTIONS" whose (it as string contains "-Dlog4j.formatMsgNoLookups=true") of key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" of registry as string OR not exists values "_JAVA_OPTIONS" whose (it as string contains "-Dlog4j.formatMsgNoLookups=true") of key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" of registry as string OR not exists values "LOG4J_FORMAT_MSG_NO_LOOKUPS" whose (it as string = "true") of key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" of registry as string

Actions

Action 1 (default)

Action Link Click here to deploy this action.
Script Type BigFix Action Script
action uses wow64 redirection {not x64 of operating system}

if {not exists values "JAVA_TOOL_OPTIONS" whose (it as string contains "-Dlog4j.formatMsgNoLookups=true") of key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" of registry as string}
waithidden cmd.exe /c "setx /M JAVA_TOOL_OPTIONS "-Dlog4j.formatMsgNoLookups=true {value "JAVA_TOOL_OPTIONS" of key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" of registry as string | ""}""
endif

if {not exists values "JDK_JAVA_OPTIONS" whose (it as string contains "-Dlog4j.formatMsgNoLookups=true") of key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" of registry as string}
waithidden cmd.exe /c "setx /M JDK_JAVA_OPTIONS "-Dlog4j.formatMsgNoLookups=true {value "JDK_JAVA_OPTIONS" of key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" of registry as string | ""}""
endif

if {not exists values "_JAVA_OPTIONS" whose (it as string contains "-Dlog4j.formatMsgNoLookups=true") of key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" of registry as string}
waithidden cmd.exe /c "setx /M _JAVA_OPTIONS "-Dlog4j.formatMsgNoLookups=true {value "_JAVA_OPTIONS" of key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" of registry as string | ""}""
endif

if {not exists values "LOG4J_FORMAT_MSG_NO_LOOKUPS" whose (it as string = "true") of key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" of registry as string}
waithidden cmd.exe /c "setx /M LOG4J_FORMAT_MSG_NO_LOOKUPS "true""
endif
Success Criteria

This action will be considered successful when the applicability relevance evaluates to false.


Sharing

Social Media:
Share this page on Yammer

Comments

Log In or Register to leave comments!