December 17, 2021
The race is on as security teams around the world work diligently to fix a critical security flaw named Log4Shell, which has put organizations across every industry at risk of exploitation.
The critical vulnerability in Apache Log4 software is found practically everywhere, from online games to enterprise software to cloud data centers. The challenge facing security teams is figuring out how to fix the problem with a patch before hackers achieve remote access and wreak havoc.
This vulnerability is attention-grabbing because it is one of the most significant vulnerabilities in at least the past seven years, and it is actively being exploited.
As a result, time is of the essence because Log Log4Shell is a zero-day vulnerability, meaning affected organizations had zero days to mitigate or patch systems, thus allowing attackers to run code remotely on vulnerable servers that were running Log4j.
Log4Shell affects Apache Log4j – a logging tool implemented in many Java-based applications. This software is widely used in a variety of consumer and enterprise services, websites and applications, including operational technology products.
According to a GitHub list being updated regularly, the Log4Shell vulnerability has impacted many key organizations, including Apple, Amazon, Google, IBM, Tesla and Twitter. Cisco released a security advisory saying these vulnerabilities have affected Cisco products, as well.
How It Works
An attacker can exploit this vulnerability to take control of an affected system by instructing the system to download and execute a malicious payload. Therefore, it is recommended to assess the use and impact of Log4j and patch as soon as possible. Hackers have been exploiting the vulnerability since early December.
Immediate Steps To Take
Given the severity of the vulnerabilities and the likelihood of an increase in exploitation by sophisticated cyber attackers, the Cybersecurity & Infrastructure Security Agency urges vendors and users to take the following actions to protect against Log4j exploitation:
- Review CISA’s webpage with Apache Log4j Vulnerability Guidance and upgrade to the latest Log4j version or apply the appropriate vendor recommended mitigations immediately.
- Discover all internet-facing assets that allow data inputs and use log4j Java library anywhere in the stack.
- Discover all assets that use the Log4j library.
- Update or isolate affected assets. Assume compromise, identify common post-exploit sources and activity, and hunt for signs of malicious activity.
- Monitor for odd traffic patterns (e.g., JDNI LDAP/RMI outbound traffic, DMZ systems initiating outbound connections).
In addition to the immediate actions detailed above, affected organizations should review CISA's GitHub repository for a list of affected vendors and apply software updates as soon as they are available. Affected organizations that have upgraded to Log4j 2.15.0 will need to upgrade to Log4j2.16.0 to be protected against CVE-2021-44228 and CVE-2021-45046.
Vulnerabilities are a constant occurrence in today’s world. Organizations with ongoing vulnerability scanning solutions tend to be in better positions because they can conduct comprehensive scans of their environments to identify vulnerable systems. Then, the remediation can begin. Without scanning tools, organizations often rely on each software manufacturer to notify them.
Impact On Microsoft Clients
As a result of this vulnerability, Microsoft is not currently aware of any impact – outside of the initial disclosure involving – to the security of its enterprise services and has not experienced any degradation in availability of those services. However, Microsoft continues to analyze vulnerabilities related to Apache Log4j.
In addition to monitoring the threat landscape for attacks and developing customer protections, Microsoft’s security teams have been analyzing Marco’s products and services to understand where Apache Log4j may be used and are taking expedited steps to mitigate any instances. If they identify any impact to customer data, they will notify the affected party.
The fallout of the exploitation of this critical vulnerability (CVE-2021-44228) could be widespread, as it continues to be an evolving situation. For more information, references to advisories, solutions and tools, consult the following resources:
- Ongoing list of impacted products and devices – CISA is maintaining a community-sourced GITHub repository that provides a list of publicly available information and vendor-supplied advisories regarding the Log4j vulnerability.
- Sources for detection rules – For detection rules, see Florian Roth’s GitHub page, log4 RCE Exploitation Detection. While CISA shared this link on its page, it has not yet validated this content.
- Microsoft Security – Guidance for preventing, detecting and hunting for CVE-2021-44228 Log4j 2 exploitation
- National Institute of Technology Standards – National Vulnerability Database continues to provide updated detail on CVE-2021-44228, as further changes are noted.