12/15/2021 UPDATE: Be sure to investigate all endpoints for signs that unauthenticated users exploited the Log4j flaw. The nature of a zero-day exploit means that attackers were able to start exploiting the vulnerability before software vendors were even aware it existed.
Evidence suggests exploitation attempts began as early as December 1. Additionally, Microsoft published an update yesterday stating they’ve “observed multiple threat actors leveraging the CVE-2021-44228 vulnerability in active attacks.” Microsoft Threat Intelligence Center (MSTIC) says these tracked threat groups include nation-state activity groups from China, Iran, North Korea, and Turkey.
While no one detection tool is perfect, this Log4ShellEnumeration, Mitigation, and Attack Detection Tool is one of the more helpful tools we’ve found. But keep in mind that these tools alone cannot replace experienced IT and security professionals evaluating your systems for signs of exploitation.
12/14/2021 UPDATE: The US Cybersecurity & Infrastructure Security Agency (CISA) created a webpage specifically for sharing the most recent information related to the Log4j Vulnerability. Check the CISA’s Apache Log4j Vulnerability Guidance page regularly for new updates and additional information as it becomes available.
12/13/2021 ORIGINAL POST: Late last week, our team learned of a critical security vulnerability affecting systems that use Java-based programs. This article includes a basic explanation of our understanding to date and how our team is responding.
What is the Log4j or Log4Shell Vulnerability?
Java is a common software programming language used in many business applications. The Log4j vulnerability, also known as Log4Shell and tracked as CVE-2021-44228, is a flaw in a common Java logging library. This flaw allows unauthenticated users to quickly and easily run remote code, which they can use to execute malware and gain access to credentials and other sensitive information.
The Log4j vulnerability is a zero-day exploit, meaning hackers can execute cyberattacks through software flaws before vendors are aware of the flaw.
This vulnerability is considered critical and has a Common Vulnerability Scoring System (CVSS) score of 10 out of 10.
Long story short, it's a big deal and something your IT team must address immediately.
Are You Affected by the Log4j Vulnerability?
This is what makes this vulnerability so challenging. There is no easy way to tell which applications use Java. And even if you do know which applications are Java-based, there's no easy way to tell which use the Log4j logging library.
For the most part, you're at the mercy of your software vendors to keep you informed on the presence of the vulnerability and provide instructions on mitigation. Make sure you've subscribed to security updates and are actively monitoring knowledge bases and security-related community threads from all of your software vendors.
Some popular vendor security announcements include:
- Amazon Web Services - Update for Apache Log4j2 Issue (CVE-2021-44228)
- Oracle - Oracle Security Alert Advisory - CVE-2021-44228
- VMware - Investigating CVE-2021-44228 Log4Shell Vulnerability
- IBM - An update on the Apache Log4j CVE-2021-44228 vulnerability
- HP/HPE – Support Alerts – Customer Notice
- Dell - Additional Information for Apache Log4j Remote Code Execution Vulnerability (CVE-2021-44228)
- Cisco - Vulnerability in Apache Log4j Library Affecting Cisco Products: December 2021
What to Do About the Log4j Vulnerability?
First, make sure to update any locally installed versions of Java to at least version 8 update 121 (version 8 update 311 is the latest). You can find information for updating and removing old versions of Java on the Java website.
Next, upgrade or patch all Java-based applications. This is where it gets tricky. Each vendor is investigating if and how the vulnerability impacts their applications. Vendors are releasing security bulletins and security patches as needed. So, it's crucial to stay up to date on the latest communications and bulletins all your software vendors are releasing.
Lastly, be sure to update the logging library to at least version log4j-2.15.0.rc2 or higher for any internally built applications that use Java.
Best Practices While You Wait for Vendor Updates
Vendors are working as fast as they can. While you wait on patches and security updates, consider locking down external access and removing port forwarding to all Java-based applications.
How is Innovative Handling the Log4j Vulnerability?
Innovative maintains a security and incident response team that continuously receives, monitors, and researches security alerts from various government and industry sources. We evaluate each alert to determine its impact on Innovative's client networks and devices. We then initiate communication and mitigation efforts with individual clients as necessary.
Innovative clients – we will contact you individually to discuss next steps if we identify the Log4j vulnerability on your devices and networks that we manage. We've already contacted many clients and have started executing mitigation efforts.
If you're an Innovative client that internally administers any portion of your network or devices, please be sure you're working to take mitigation actions as needed. Our team is available to collaborate on your mitigation strategy.
Do Not Take the Log4j Vulnerability Lightly
This threat is very real and very serious. It impacts nearly all businesses, and your IT team must address it quickly and efficiently.
In a statement from the US Cybersecurity & Infrastructure Security Agency (CISA), CISA Director Jen Easterly said, "this vulnerability poses a severe risk. We will only minimize potential impacts through collaborative efforts between government and the private sector. We urge all organizations to join us in this essential effort and take action."
Innovative's security and incident response team has been working on mitigation efforts around the clock since we learned of the threat last week. We will continue to dedicate our highest-level resources to mitigation efforts until all client networks are addressed.
