On December 9, 2021, a remote code execution (RCE) vulnerability was announced for the popular Apache Log4j exposing some of the world's most popular applications and services to attack. Java is an industry standard used on many websites and applications, and the impact of this vulnerability could be severe to any business or organization. Your current systems and applications, older systems that may not be in frequent use, or your vendor’s systems all may be vulnerable at this time.
This library enables logging for many enterprise applications, has been in use for more than a decade, and is quite trivial to compromise. The vulnerability has been given the common vulnerability and exposures (CVE) designation CVE-2021-44228 and a criticality (CVSS) score of 10 out of 10.
This vulnerability is particularly troublesome due to three factors:
As stated above, the vulnerable library has been in production systems for many years, meaning it is embedded in legacy software in many organizations. Of concern is that there is no central repository for all the areas where this library is in use, making identification quite difficult.
Several proof of concept (POC) demonstrations have shown how easy this vulnerability is to compromise. An unethical hacker simply needs to craft a payload to send to the vulnerable server, and when the payload is logged the exploit is detonated.
We often tell organizations “log it all,” as you may need logs for forensics later. This means that log libraries are used to log many aspects of a server’s functionality. As organizations are capturing extensive logs, there have been over 50 mutations of this compromise already documented and exploits of this vulnerability have also already been documented by some of the largest organizations in the world.
Your emergency patch protocols should be invoked as many manufacturers and developers are updating their software to patch this vulnerability. For any software that cannot be patched, there are two options:
Several security researchers have deemed this the biggest disclosed security vulnerability of 2021, and many are seeing exploits for this being attempted on a huge global level. As always, a multi-layered approach is best to deal with this vulnerability and those in the future including preparation, prevention, detection, and mitigation.
Fortalice is closely following findings and security best practices for recommended mitigation measures, and we are available to assist you in several ways including Incident Response, Threat Hunting, and Mitigation Verification.
If you have any further questions on this vulnerability or need assistance with remediation, please contact us.
https://www.cisa.gov/uscert/apache-log4j-vulnerability-guidance
https://nvd.nist.gov/vuln/detail/CVE-2021-44228
https://threatpost.com/apache-log4j-log4shell-mutations/176962/