How Urgent is Urgent? Log4j 2.15.0 and CVE 2021-44228

It's true, it is urgent, and if you already upgraded to 2.15.0, or the Java 7 equivalent, getting to 2.16.0 or higher should not be prohibitive!  But, if working in security has taught me one thing, it is to take nothing for granted.  Maybe the entire dev team is gone for the holiday or maybe it is something else entirely that simply makes the organization uneasy about getting to 2.16.0 as fast as the criticality score alone justifies.  

The upgrade in criticality for the vulnerabilities in 2.15.0 from a CVSS 3 to a 9 was dually concerning because it threatens to erase the reduction in exposure that patching to 2.15 provided.  This consequently risks increasing the security fatigue as teams scramble to patch again.  

Recognizing there are conditions required for the vulnerabilities in log4j 2.15.0 to be successfully exploited, and that there is a cost every time security jumps to the front of the line with regard to priorities, I wanted to write about a way to help engineering teams undertand and search for the conditions.  I believe understanding more about vulnerabilities is always good, but remember, the simplest and safest thing to do is just patch.  Even if your projects aren't vulnerable according to the known conditions, additional vulnerabilities or conditions may be released as more is learned about these issues.

Review of Known Conditions

IF you have the log4j-core jar in your application's class path
AND the version is an affected version (e.g. ≤2.15.0)
AND use a non-default Pattern layout
AND use a Context Lookup: ($${ctx:<any lookup here>})
THEN known vulnerable & must patch to 2.16.0+ as soon as possible.

How to Find These Conditions

1. Go to the GitHub/other source control repository in question
2. Search for the word "pattern"  to find specified pattern layouts
Note: GitHub search features and limitations

3. Review the files with matches, looking for ${ctx:...} or $${ctx:...}
Note: You may notice log4j config files being most popular to find these pattern layouts (e.g. log4j.xml, log4j-config.xml, etc.)

4. Any project with these context lookups in pattern layouts is vulnerable and should be patched immediately!
Note: We are looking for context lookups to be in the pattern layout (context lookups were noted as vulnerable by apache here.)

Summary

It is not always simple to interpret the risk associated with a dynamic vulnerability.   Especially in dynamic situations, when details are fuzzy and when the consequences are so serious, no one wants to be the one holding the consequences.  These conditions can quickly lead to security fatigue.  This guide shows one way to find out if the conditions making 2.15.0 vulnerable apply to your application.  This may be able to help make the holiday a little less hectic, or simply provide engineering teams with the details they expect when being asked to shift priorities.  Bottom-line, patch as soon as possible, it shouldn't be too hard anyway!  Remember to treat dependency management with the same care that OS patch management requires.