Article
Security Alert: Log4j
Most organizations likely to be affected by vulnerability. Mitigation instructions and background information detailed below.
Last updated: 10 a.m. PST 12/29/21
This post will be continuously updated as new information is made available.
A serious vulnerability in an open source software library known as Log4j has created one of the most widespread vulnerabilities in history, affecting most organizations through multiple products and services. The key issue right now: Can organizations find and patch all vulnerabilities before attackers exploit the issue?
Read on for more information about the issue and, more importantly, how to go about fixing it.
What is Log4j?
Log4j is an open source Java library developed and maintained by the Apache foundation. The widely-adopted library is used in many commercial and open-source applications as a logging framework for Java.
The popularity of Java, and specifically the use of the Log4j library in millions of Java applications, indicates that this is likely to be one of the most widespread vulnerabilities since Heartbleed and ShellShock were both discovered in 2014.
The Log4j Vulnerability (A.K.A. Log4Shell)
On December 9, 2021, Apache published a zero-day vulnerability (CVE-2021-44228) for Java-based logging package Log4j.
The Log4j vulnerability has been classified as “Critical” with a CVSS score of 10, allowing for Remote Code Execution (RCE) with system-level privileges. When exploited, this vulnerability allows an attacker to run code on the target device, giving full control over to the attacker and allowing them to perform a myriad of malicious objectives, including deploy ransomware.
How to mitigate the vulnerability
- Vulnerable versions of Log4j span 2.0-beta-9 to 2.15.0.
- Version 2.16.0 and beyond patches the most serious RCE vulnerability.
- Versions 2.17.0 and 2.17.1 patch several additional vulnerabilities.
As soon as possible, follow the Official Apache Log4j Security Advisory and update Log4j library to the most recent version. Given the nature of the evolving threats associated with this vulnerability, we recommend continuously updating to the most recent Log4j patch in order to reduce possible exposure.
We recommend checking and installing updates to all third-party products, as well as following all vendor instructions and recommendations. Identifying and mitigating this vulnerability will require continued vigilance as new patches are made available by vendors.
If you are unable to update your system immediately, please follow mitigation measures outline by the Cybersecurity and Infrastructure Agency (CISA) here.
Scan your systems for vulnerable Log4j versions
At-Bay developed a tool to help identify if a system is running a vulnerable version of Log4j. Once downloaded, run this script in each suspected system and the Command Line Interface (CLI) tool will look for java processes using a vulnerable version of Log4j library and provide an indication if found.
Please be advised that a negative test does not guarantee that your system is secure. The tool is intended for testing purposes only, and should only be used on systems you are authorized to test. Download the discovery tool on GitHub.
Implementing a Web Application Firewall
A web application firewall can also provide a temporary protection against the Log4j vulnerability. If your business is not using a web application firewall, At-Bay strongly recommends doing so. Make sure to protect all external facing systems.
- Cloudflare has introduced rules to block the commonly seen malicious HTTP requests that try to exploit this vulnerability. These rules are available even in the free tier of their product.
- Other WAF vendors such as Fastly, Akamai and Imperva (formerly Incapsula) also have the ability to protect against log4j exploits, but may require manual activation
Read more about At-Bay’s recently announced partnership with Cloudflare.
What else can I do to reduce exposure?
In addition to the above mitigation measures, At-Bay recommends the following:
- Ensure that logs are stored under limited privileges: Limited privileges makes it harder for attackers to cover their tracks, thus making malicious activity easier to discover.
- Inspect log files: The existence of URL patterns similar to ${jndi:ldap://. can reveal exploitation attempts: (sudo egrep -i -r ‘\$\{jndi:(ldap[s]?|rmi|dns)://’ /var/log)
- Enhance security controls: EDR on servers and end-point security enhance your ability to protect your organization.
- Make sure your backups are in good working order: Good backups often make the difference between a mild exposure and a severe one.
Vulnerable applications
Many of the most widely known software vendors are using the Log4j library in their products. The list of vendors already identified to be vulnerable includes Amazon AWS, Atlassian, Apache, Cisco, Dell, Okta, Oracle and many others. Please note that the list of applications affected by the Log4j vulnerability is continuously growing.
A more comprehensive list of affected vendors, along with their official response, can be found here.
Please plan to check the above list frequently, as new vendors are being continuously added.