O
n Friday November 10, 2021, a critical vulnerability was publicly disclosed in the Java based logging library, Log4J. Also known as ‘Log4Shell’ this vulnerability enables a threat actor, to preform Remote Code Execution (RCE) across a slew of connected devices ranging from computers, home and enterprise routers, VPN’s, internet of things/smart devices (IoT), and web servers.
Author: Jeff White, Chief Security Officer, CMMC-RP
For context, this vulnerability has been assigned a criticality rating of ‘10’, the highest score for an industry recognized vulnerability scale. Remote Code Execution essentially allows an attacker to preform malicious commands, without authentication (login), on an internet connected device. To put this in perspective, the flaw requires minimal technical prowess. It can be exploited simply by running one command against an internet connected and Log4J vulnerable device.
What makes this vulnerability even more troubling is that Log4J has been used for years in some of the best-selling consumer products. Some of the world’s biggest companies have used some flavor of Log4J to include the likes of Microsoft, Amazon, and Apple. In fact, it has been reported that some 3 billion connected devices currently use a version of Java.
While the full scale and impact of this vulnerability has yet to be determined, it is currently being exploited ‘in the wild’. Both stateside and state sponsored actors are currently scanning network devices, in an effort to locate unpatched systems. Publicly available web sites such as Shodan.io, have helped attackers and threat groups identify these vulnerable network resources. It’s important to note that secondary cyber-attacks can be launched following initial exploit of Log4J including but not limited to installation of crypto currency mining malware, data exfiltration, and potentially even ransomware.
Are you impacted? Steps you can take to reduce your business risk.
If any of your systems are currently running Log4J versions 2.0 – 2.14.1, you are vulnerable to this Log4J exploit. Apache however, has since reported that this issue has been resolved in updated version 2.15 which is currently available for download on the Apache Website link below:
https://logging.apache.org/log4j/2.x/security.html
The following is provided as general guidance in mitigating the Log4J Vulnerability, and related risk to your organization:
- It is recommended that organizations first update all web facing applications and systems to the latest version of Log4J (Version 2.15).
- If possible, organizations should block external access to applications until they can be patched. Organizations should then preform a full inventory and fix/patch of any remaining internal systems impacted by the above.
- In addition, it is recommended that organizations also implement a Web Application Firewall (WAF) if possible, for additional monitoring capabilities.
- If your organization can afford a dedicated Managed Security Service Provider, or MSSP, it is highly recommended to do so. While Valorr remains vendor agnostic, partnering with the right MSSP provider will provide layered insight into those threats/bad actors actively targeting your network.
- While vendors are working diligently to address this, it is recommended that organizations stay up to date with 3rd party responses. Typically, vendors will send emails on how and to what extent customers may be impacted by this, and other security vulnerabilities. Customers may also check vendor blog updates for similar information.
- If you have an existing Security/Threat Intelligence Provider, you may also receive direct vulnerability related correspondence from a Customer Success Manager
- While information continues to be released on this critical vulnerability, organizations should continue to update all endpoints, and network connected devices whenever possible.
For further technical information regarding this vulnerability, please visit MITRE’s CVE-2021-44228 at the link below:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228
Please also visit U.S. Cybersecurity and Infrastructure Security Agency (U.S. CISA) for the latest updates and actionable guidance, as more information becomes available. Through ongoing public-private partnership, U.S. CISA provides community sharing initiatives to help businesses secure and defend against the ongoing cyber threat.
https://www.cisa.gov/news/2021/12/11/statement-cisa-director-easterly-log4j-vulnerability (CISA Director, Jen Easterly’s statement on Log4J)
https://www.cisa.gov/uscert/ncas/current-activity (CISA Current List of Cyber Related Activity)
https://www.cisa.gov/known-exploited-vulnerabilities-catalog (CISA Known Vulnerability Catalogue)
Update: 12.30.2021
Since initially posting, security researchers continue to discover new vulnerabilities in java-based logging library, known as Log4J. Previous industry and Apache guidance1 were to update any known vulnerable versions of LogJ (including versions 2.0-beta9 through 2.15.0; except for update 2.12.2) to version 2.16.0.
Additional Log 4J security loopholes have led Apache to issue the most recent upgrade through version, 2.17.1. A summary of vulnerabilities found in previously updated Log4J versions, 2.15.0 – 2.17.0 have been provided below for reference:
- Mitre CVE-2021-45046 – With a severity score of 9, this vulnerability in version 2.15.0, allows for potential information leak and remote code execution. Updated version 2.16.0, corrected this vulnerability.
- Mitre CVE-2021-45105 – With a severity score of 5.9, this vulnerability in version 2.16.0, allows for potential Denial of Service (DoS) to an application. Updated version 2.17.0, corrected this vulnerability.
- Mitre CVE-2021-4104 – With a severity score of 8.1, this vulnerability in version 2.17.0 allows for deserialization attacks. Updated version 2.17.1, corrected this vulnerability.
Actionable Steps your business can take to ensure the best protection:
- It is recommended that organizations upgrade to the latest version of Log4J (Version 2.17.1), for all web-facing applications and systems. If possible, organizations should block external access to applications until they can be patched.
- For Systems that cannot be patched, it is recommended to disconnect these systems from the network.
- If possible, implement a Web Application Firewall (WAF) solution for further security/activity visibility into web application activities.
- If not already in place, consider implementing a trusted managed security service provider to proactively monitor for network traffic anomalies and irregular system activity.
- Ensure all endpoints (computers) and endpoint monitoring tool (i.e., Anti-Virus or EDR) are continuously updated to the latest versions.
- Continue to monitor vendor statements and communications, for updates on how their products are addressing these vulnerabilities.
Additional Resources/Tools:
- Valor recommends organizations continue to visit U.S. Cybersecurity and Infrastructure Security Agency (U.S. CISA) for ongoing actionable guidance, based on potential threats they are seeing.
https://www.cisa.gov/uscert/apache-log4j-vulnerability-guidance (CISA Guidance updated 12/28/2021)
- Organization may also visit the NIST National Vulnerability Database, which provides a list of known vulnerabilities and related technical details across impacted systems, and applications. All vulnerabilities in the CVD are provided a CVE (Common Vulnerability and Exposure) Number for universal sharing purposes.
References: 1https://logging.apache.org/log4j/2.x/security.html (Apache list of known vulnerabilities and fixes and Log4J Version 2.17.1 download)
If you found value out of this article, please check out our other Valor Insights for how you can protect your business.