TLDR
Log4J is a logging library for Java applications for which critical vulnerabilities was discovered.
An unauthenticated remote actor could exploit this vulnerability to take control of an affected system.
On December 10, 2021, Apache released Log4j 2.15.0 for Java 8 users to address a remote code execution (RCE) vulnerability—CVE-2021-44228.
On December 13, 2021, Apache released Log4j 2.12.2 for Java 7 users and Log4j 2.16.0 for Java 8 users to address a RCE vulnerability—CVE-2021-45046.
(Updated December 18, 2021) On December 17, 2021, Apache released Log4j 2.17.0 for Java 8 users to address a denial-of-service (DOS) vulnerability—CVE-2021-45105.
With the library being included in many applications knowingly and unknowingly it is causing a lot of problems for organisations small and large.
With the vulnerabilities being actively exploited time is of the essence.
This article will hopefully help you get to grips on what the vulnerabilities entail and what you can do about it.
Guidance
GOVCERT.CH
https://govcert.ch/blog/zero-day-exploit-targeting-popular-java-library-log4j/
CISA
The US government agency has put together a well-researched document that covers a lot of guidance
https://us-cert.cisa.gov/apache-log4j-vulnerability-guidance
They have also published a community-sourced list of affected vendors, products and patch availability:
https://github.com/cisagov/log4j-affected-db
Highlights:
Immediate actions to take against exploitation:
Discover all internet-facing assets that allow data inputs and use Log4j Java library anywhere in the stack
Discover all assets that use the Log4j library.
Update or isolate affected assets.
Assume compromise, identify common post-exploit sources and activity, and hunt for signs of malicious activity.
Monitor for odd traffic patterns (e.g., JNDI LDAP/RMI outbound traffic, DMZ systems initiating outbound connections).
Microsoft
Microsoft has also put together excellent guidance and how their customers can use their products to their advantage. They provide updates from their threat intelligence teams as well.
https://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation/
AWS
AWS similar to Microsoft has also produced extensive guidance and how you can use their products and services to protect your organisation.
https://aws.amazon.com/blogs/security/using-aws-security-services-to-protect-against-detect-and-respond-to-the-log4j-vulnerability/
Apache
Apache project has a dedicated page with more details on the three vulnerabilities that have affected the Log4J library.
NCSC UK
National Cyber Security Center has written up an excellent document targeting board directors which can be helpful if you are fielding questions from the board.
Twitter has a very active cybersecurity community so it's good to keep tabs on the following hashtags if you can:
Log4J Scanner
There are a few scanners that have been created to scan for vulnerable log4j applications.
One of them is:
https://github.com/fullhunt/log4j-scan
WAF
You might have deployed a Web Application Firewall to protect your externally facing applications.
However, there have been documented ways to bypass the WAF and still exploit the vulnerability.
https://gist.github.com/ZephrFish/32249cae56693c1e5484888267d07d39
Our Company
Want to know more about how we help small and medium enterprise IT leaders improve their organisation's cybersecurity?
Then check out our services.
Comments