A new critical vulnerability has been found in a popular Apache java-based logging service known as Log4j 2. Log4j is widely used in many Java applications and ships by default with many enterprise applications, IT management systems, and over 400,000 open-source projects. This is a critical vulnerability that is actively being exploited by threat actors across the globe. [Client] highly recommends that you take steps to analyze your current environment, evaluate mitigations, configure protections, and upgrade vulnerable systems as quickly as is feasible given your business operations.
The vulnerability known as Log4shell permits attackers to execute remote code on the target host. Many Java-based applications leverage log4j as their logging utility and are vulnerable, making this one of the most broadly available and easily exploited vulnerabilities in recent years. Current CVEs:
CVE-2021-44228
CVE-2021-45046
CVE-2017-5645,
CVE-2019-17571
[Client]’s Recommendations
Identify vulnerable systems:
Identifying existing vulnerable systems in your environment is a key step in protecting and patching. This can be a significant effort but is key to a successful response. Existing inventory management and software lifecycle management systems will aid in this effort. There are also some scanning tools being made freely available by security researchers. As with many events like this, attackers know organizations will be scrambling for these tools and may embed malware in scanners and make them available on the web, so it is vital that you ensure you’re getting any scanning tools from a trusted source.
Many IT infrastructure systems use Apache and Java for their management interfaces, so it’s important to identify IT systems as a part of the discovery. This includes network management systems, IP phone systems, video surveillance management systems, information security systems, etc.
Application and API inspection:
From an edge or transit network perspective, next-generation firewalls and web application inspection services can detect and block these types of attacks. One key prerequisite would be to ensure proper SSL inspection is enabled on existing next-generation firewalls and web application inspection services. For cloud-based services, API security rules can be deployed leveraging many of the cloud security tools available from our partners. Host technology such as XDR can detect and block this attack today, so ensuring servers, endpoints, and management systems are actively using a managed XDR solution significantly reduces the risk associated with these types of attacks.
Application Policy enforcement:
Assess and/or develop whitelisting strategies as it pertains to next-generation firewalls for key corporate applications to mitigate suspicious traffic and remote calls to unexpected applications and/or servers. Note: Utilization of application server firewalls to prevent unexpected communication between applications is recommended.
Java Recommendations:
Disable JNDI, if possible, within your log4j deployment. This may be a complex task given development and application dependencies but may be a good interim compensating control, barring other options.
Patching options:
Refer to https://logging.apache.org/log4j/2.x/index.html for current recommended patching strategies for your respective environments.