If you have read the news over the last few days, you have heard about the latest cyber security vulnerability putting corporate networks at risk.
An open-source Java-based logging framework known as "Apache Log4j" has a vulnerability (CVE-2021-44228) that offers threat actors a relatively easy way to access an organization's server. Once there, they can potentially take control, access other systems across an organization's network, and exploit it.
A significant number of Java-based applications use Log4j as their logging utility and are vulnerable to this CVE. Many software packages including those below may be impacted:
- Apache Struts
- Apache Solr
- Apache Druid
- Apache Flink
- ElasticSearch
- Flume
- Apache Dubbo
- Logstash
- Kafka
- Spring-Boot-starter-log4j2
Recommended Actions for Log4j Vulnerability
The Apache Software Foundation, which manages the Log4j software, has released a security fix for organizations to apply in Log4j.
The CISA* also recommends the following actions for affected entities:
- Review Apache’s Log4j Security Vulnerabilities page for additional information and continue to monitor for any subsequent bypass discoveries and new updates to protect against this vulnerability.
- Apply available patches immediately. See CISA's upcoming GitHub repository for known affected products and patch information.
- Prioritize patching, starting with mission critical systems, internet-facing systems, and networked servers. Then prioritize patching other affected information technology and operational technology assets.
- Until patches are applied, set log4j2.formatMsgNoLookups to true by adding -Dlog4j2.formatMsgNoLookups=True to the Java Virtual Machine command for starting your application. Note: this may impact the behavior of a system’s logging if it relies on Lookups for message formatting. Additionally, this mitigation will only work for versions 2.10 and above.
- Conduct a security review to determine if there is a security concern or compromise. The log files for any services using affected Log4j versions will contain user-controlled strings.
- Consider reporting compromises immediately to CISA and the FBI.
Partner Links for Log4j Vulnerability Updates
- Salesforce - Please reference the Salesforce Log4j help article here on the latest patches implemented by Salesforce and further updates.
- Oracle Cloud (Fusion) SaaS - Oracle continues to release patches for their products. For your SaaS platform, Oracle will complete mandatory maintenance for all Fusion environments. Please follow the Oracle published Log4j alert for additional information.
- Oracle On-Premise - Oracle has released patches for some products while others are still pending. Please follow the support document link here for the latest Log4j patch updates from Oracle as they become available (requires Oracle client login).
- Snort or Suricata - The following rules have been released: 2034647, 2034648, 2034648, 2034649, 2034650, 2034651, and 2034652.
- AWS - Please reference the AWS Log4j security bulletin here for updates.
- Microsoft - Please reference the Microsoft Log4j response here for updates.
- BMC - Please reference the BMC security advisory Log4j page here for updates.
Vulnerability Scan
For customers who utilize Digital Defense VRT, DDI provided a preliminary scanner check on December 13, 2021 in scanner release 3.0.89.2. Clients are encouraged to run a full vulnerability assessment, which includes the check Apache Log4j Remote Code Execution (147182). DDI VRT is closely monitoring and will update the check to include specific vulnerable software as information is released. Should you require assistance running an assessment for this flaw, Frontline.Cloud subscribers can contact the Emtec team.
Keep Connected
As with any vulnerability, discovery of additional systems affected may quickly change over time. It is critical to monitor the below resources over the next few weeks to ensure you are aware of new information as it is released.
If you are unsure where to start, or don’t have the security expertise or bandwidth in-house, please reach out to our team. We are here to help.
RESOURCES & REFERENCES
- https://www.cisa.gov/uscert/apache-log4j-vulnerability-guidance
- https://logging.apache.org/log4j/2.x/
- https://nvd.nist.gov/vuln/detail/CVE-2021-44228
- https://www.cyberscoop.com/log4j-cisa-easterly-most-serious/
- https://cisa.gov/known-exploited-vulnerabilities
- https://www.digitaldefense.com/resources/vulnerability-research/apache-log4j2-security-advisory/
Editors note: This post was originally published ion December 14th, 2021 and has been updated since with additional information. Last updated on December 16, 2021.