Log4j flaw needs immediate remediation

After nearly two years of adopting major network and security changes brought on by COVID-19 and hybrid work, weary IT network and security teams didn’t need another big problem to deal with, but they have one: Stop. the potential damage of recently disclosed vulnerability in the open source Java logging software Apache Log4j.

Log4j or Log4Shell has been around for a long time (it was released in January 2001) and is widely used in all kinds of services, websites, and business and consumer applications. Experts describe the system as an easy-to-use common utility to support client / server application development.

Log4j’s weakness, defined in CVE-2021-44228 Y CVE – 2021‑45046 in the National Vulnerability Database, it basically allows an unauthenticated remote actor to take control of an affected server system and gain access to company information or unleash a denial of service attack.

There is a solution to the problem, so organizations should immediately upgrade to Log4j 2.16.0 to be protected against both CVEs, experts say.

Still, the impact of the vulnerability could be extensive because it has been in the wild for so long and because Log4j is widely used. The Log4j library is integrated into almost all Internet services and applications, including Twitter, Amazon and Microsoft, according to Check Point.

“Log4j worms could damage critical infrastructure, and it is already a threat to national security,” said Tom Kellermann. cybersecurity chief Strategy for VMware. “The bad actors of the nation state are already exploiting it as we speak.”

For example, Check Point says it has seen more than 2.8 million attempts to exploit the vulnerability and more than 46% of them were made by known malicious groups as of December 16. “So far we have seen an attempt to exploit more than 47% of the networks worldwide”, Check Point set.

Cisco Talos Security Research Unit set You have seen attempts to put the Log4j Java Naming and Directory Interface (JNDI) attack chain in email. “At this time, we have not identified widespread email campaigns that attempt to use email messages to trigger the vulnerability. It is potentially an acknowledgment, as many threat actors and researchers are essentially trying everything in an attempt to find something that will eventually make it to log4j, ”the group stated.

“The biggest issue for business customers is the number of systems that could be affected because the systems of record are so widespread and while servers connected to the Internet can be highly vulnerable, it is the downstream servers linked to them that are also problematic, “said Nick Biasini, director of outreach with Cisco Talos. “Additionally, organizations batch-process logs that may go unprocessed for weeks, so the effects of vulnerabilities will be felt for a long time.”

“The Log4j vulnerability is widespread and can affect business applications, embedded systems, and their subcomponents,” said Jonathan Care, research director at Gartner Research in a statement. Java-based applications, including Cisco Webex, Minecraft, and FileSilla FTP, are examples of affected programs, but this is not an exhaustive list. The vulnerability even affects the mission of the Mars 2020 helicopter, Ingenuity, which uses Apache Log4j for event logging. ”

Care noted that the security community has created lists catalog vulnerable systems and includes the main actors of the network, such as Cisco, Juniper, Arista, Palo Alto, Y VMware as well as other major players in the industry such as IBM, AWS and Google.

“However, it is important to note that these lists are constantly changing, so if a particular application or system is not listed, please do not take it as a guarantee that it will not be affected,” said Care. Exposure to this vulnerability is highly likely, and even if a particular technology stack does not use Java, security leaders must anticipate that key vendor systems (SaaS vendors, cloud hosting vendors, and server vendors web) they do, ”said Care.

Remediation

There are several things that companies can do to respond to the Log4j vulnerabilityexperts said.

“Business users should implement the Log4j 2.16 patch immediately, but they can also micro-segment outbound traffic to prohibit new connections,” Kellermann said. “They also need to monitor abnormal traffic flows in those environments and expand their threat hunting capabilities.”

VMware said it has responded to the Log4j situation in several of its products. For example, NSX Distributed IDS / IPS and NSX Network Detection and Response (NDR) signatures have been published that detect attempted exploitation of Log4J, including obfuscation methods seen in the wild. These signatures will detect and prevent attempts to exploit vulnerabilities regardless of their origin, VMware said.

Cisco, Palo Alto, AWS, and others have also responded to the vulnerability.

Gartner’s Care said that cybersecurity leaders must make identifying and remediating this vulnerability a top and immediate priority.

“Begin with a detailed audit of every application, website, and system within your domain of responsibility that is connected to the Internet or could be considered public. This includes self-hosted installations of cloud-based services and vendor products, ”said Care. “Pay particular attention to systems that contain sensitive operational data, such as customer details and access credentials.”

Once this audit is complete, direct your attention to remote employeesand make sure they update their personal devices and routers, which are a vital link in the security chain, Care said.

“This will likely require a proactive and involved approach, as simply issuing a list of instructions is not enough, as vulnerable routers provide a potential entry point to key business applications and data repositories,” Care said. “You will need the support and cooperation of the IT team as a whole.”

The US Cybersecurity and Infrastructure Security Agency (CISA) recommends organizations take three additional and immediate steps regarding this vulnerability: “Itemize any external devices that have log4j installed; Make sure your security operations center is triggering each alert on devices that are in the category above; and install a web application firewall (WAF) with rules that update automatically so your SOC can focus on fewer alerts. “

ORTher Log4j activities

  • IBM’s X-Force created a scan tool to detect Log4Shell. You can access it, free of charge, here: https://github.com/xforcered/scan4log4shell.
  • Microsoft stated that because this vulnerability is in a Java library, the cross-platform nature of Java means that the vulnerability is exploitable on many platforms, including Windows, macOS, and Linux. Since many Java-based applications can take advantage of Log4j 2 directly or indirectly, organizations should contact application vendors or ensure that their Java applications are running the latest updated version. Developers using Log4j 2 should ensure that they incorporate the latest version of Log4j into their applications as soon as possible to protect users and organizations.
  • Microsoft too set that Azure App Service and Functions does not dispatch Log4J to managed runtimes such as Tomcat, Java SE, JBoss EAP, or Functions Runtime. However, applications can use Log4J and be susceptible to this vulnerability. Customers are encouraged to apply the latest Log4j security updates and redeploy the applications.
  • Cisco Talos He has launched seven new ClamAV signatures for CVE-2021-44228 and CVE-2021-45046. A new Snort signature ID, 58795, has also been released.

Join Network World communities at Facebook Y LinkedIn to comment on the most important topics.

Copyright © 2021 IDG Communications, Inc.

Leave a Comment