How to Protect Your Organization From the Log4j Vulnerability

What is the Log4j vulnerability?

Apache Log4j Zero-Day vulnerability (CVE-2021-44228) is also referred to as the Log4Shell vulnerability. The first attacks exploiting this zero-day globally were observed on December 1st and 2nd. A Proof-of-Concept Code (PoC Code)–a demonstration of the feasibility of the vulnerability–was publicly released on December 9th, followed by official announcements on how to patch this zero-day on Friday December 10th.

• What is the Log4j vulnerability? Log4Shell is a vulnerability in Log4j, a Java-based logging library for adding logging capabilities to Java web and desktop applications.
• Who runs the software impacted by the Log4j vulnerability? It is managed by the Apache Software Foundation.
• Where is the Log4j vulnerability located? It is included in most of Apache Software Foundation’s software and because of the association, it also has a “stamp of high quality code” that makes it a favorite with most enterprise software developers. In other words, this vulnerability is almost everywhere.

What devices and applications are at risk?

Many devices and applications are impacted by this zero-day. It is literally everywhere and can be tough to find if you do not know where to look. What makes this more challenging is the average person cannot see this vulnerability until it is too late. GitHub has collected a very nice repository of all known vendors impacted by Log4j. Their list is an excellent starting point if you know the software or devices in your environment.

You can find this list here: https://github.com/NCSC-NL/log4shell/tree/main/software

What are we doing at SecurityMetrics to protect against this?

SecurityMetrics has evaluated all of our systems for the presence of Log4j. We found a few systems using this logging library and they are all patched. An impact analysis was performed on all of these systems and none of these systems caused a data breach.

What should our customers be doing?

For clients of the SecurityMetrics Threat Intelligence Center, we are actively scanning and informing clients of outbound Log4j indicators of compromise. As you can imagine, this is a huge undertaking with so many vulnerable devices and applications spread across a huge landscape.

It is recommended that all SecurityMetrics clients take a very active approach to mitigating Log4j vulnerabilities in their environment by:

1. Scanning to identify systems and software with the Log4j vulnerability
2. Conducting an application inventory of all systems to find Log4j libraries and perform software updates

If you cannot update, then consider setting the log4j2.formatMsgNoLookups option to true in the Log4j config as this will help prevent exploitation.

Here are some links to formal guidance from CISA and Microsoft:

• Cybersecurity Infrastructure & Security Agency Apache Log4j Vulnerability Guidance:

https://www.cisa.gov/uscert/apache-log4j-vulnerability-guidance

• Microsoft Guidance for preventing, detecting, and hunting for CVE-2021-44228 Log4j 2 exploitation:

https://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation/