IT and cybersecurity teams saw their priorities immediately reordered last December when hackers began widespread exploitation of a vulnerability discovered in Java Log4j. Since news of the vulnerability broke, teams scrambled to evaluate how the vulnerability affected their systems and to deploy the required patches. The information below summarizes the latest information on the breach.
If you need help identifying and fixing your vulnerability (or if you have experienced a breach related to Log4j), contact Pratum’s incident response team immediately via our website or by calling 515-965-3756.
What is the Vulnerability?
On December 10, news broke about a critical remote code execution (RCE) vulnerability in the Java library called Log4j, which is part of open-source code maintained by the Apache Software Foundation. It is widely used by enterprise software developers.
Hackers immediately began scanning the Internet for vulnerable systems and launching hundreds of attempts per minute to exploit the vulnerability. On affected systems, hackers could gain the ability to remotely execute code and compromise or export sensitive data. You can read Apache’s advisory on the vulnerability here.
How Do I Update Apache?
Any Log4j-core version from 2.0-beta9 to 2.14.1 is considered vulnerable and should be updated to 2.16.0. Update your version of Apache to 2.15.0 here to close the vulnerability. The log4j issue (also called CVE-2021-44228 or Log4Shell) was patched in the update.
Log4j version 2.16.0 also is available. This version disables the JNDI functionality by default and removes messages lookups. While some software supports 2.16.0, other software may still rely on the JNDI functionality. In that case, you should use version 2.15.0. Before updating, ensure that the correct patched version is selected.
A new vulnerability (CVE-2021-44832) released on December 28, 2021, affects the most recent release of Log4j, version 2.17.0. While rated a CVSS of 6.6, it should be noted that this vulnerability can allow remote code execution in systems when the Log4j configuration file is loaded from a remote location.
Due to the lower CVSS score and higher complexity requirements for exploitation, fewer users may be impacted. However, if possible, users should update to version 2.17.1 that patches this vulnerability.
What Other Applications Are Vulnerable?
Updating your version of Apache won’t address the vulnerabilities in the numerous applications that use the Apache library. You’ll need to update each of those applications as their developers release updates. Expect numerous communications from software vendors who are updating their products in order to close the vulnerability. You can review a list of known software vulnerabilities at this site.
Many older applications that rely on the Java runtime are potentially vulnerable. This can include web frontends, servers and other frameworks that use the Log4j library to log data. Even if the main application is not Java-based, it may use Log4j for logging. Plan on applying multiple upgrades and patches to your system.
Within hours of the vulnerability’s discovery, Pratum’s Security Operations Center (SOC) installed new detections/mitigations to protect the systems of our Extended Detection and Response (XDR) customers. The new rules created by our analysts detect attempted exploitation; block malicious Java processes; block executable files unless they meet specific criteria; and more. We are also actively processing and adding additional Indicators of Compromise as they are disseminated through various channels.
How Do I Check for the Vulnerability on My System?
You should run a vulnerability scan on your system. You also can test it by using a local or third-party DNS logging service. Submit a request with the following: If the server requests a DNS lookup, it should be logged with the provider.
What Should I Do To Protect My System?
In addition to upgrading your version of Apache and installing the patches that software vendors provide, CISA also recommended these three additional steps:
- Enumerate any external facing devices that have log4j installed.
- Make sure that your SOC is actioning every single alert on the devices that fall into the category above.
- Install a web application firewall (WAF) with rules that automatically update so that your SOC is able to concentrate on fewer alerts.
What if I Can’t Update or The Application Vendor Hasn’t Updated Their Software Yet?
Adding the JVM flag can prevent the vulnerability in most vulnerable Java versions.
Pratum’s incident response team is currently helping clients analyze and remediate their exposure to Log4j. For help with your specific situation, contact Pratum’s incident response team immediately via our website or by calling 515-965-3756. This situation is continuing to evolve, and we’ll update this blog as new information becomes available. You also should regularly check CISA’s Apache Log4j Vulnerability Guidance for new information.