Search
  • markderijk

Log4j - a TLDR summary for SME IT leaders



TLDR

Log4J is a logging library for Java applications for which critical vulnerabilities was discovered.

An unauthenticated remote actor could exploit this vulnerability to take control of an affected system.

  • On December 10, 2021, Apache released Log4j 2.15.0 for Java 8 users to address a remote code execution (RCE) vulnerability—CVE-2021-44228.

  • On December 13, 2021, Apache released Log4j 2.12.2 for Java 7 users and Log4j 2.16.0 for Java 8 users to address a RCE vulnerability—CVE-2021-45046.

  • (Updated December 18, 2021) On December 17, 2021, Apache released Log4j 2.17.0 for Java 8 users to address a denial-of-service (DOS) vulnerability—CVE-2021-45105.

With the library being included in many applications knowingly and unknowingly it is causing a lot of problems for organisations small and large.

With the vulnerabilities being actively exploited time is of the essence.

This article will hopefully help you get to grips on what the vulnerabilities entail and what you can do about it.

Guidance

GOVCERT.CH



https://govcert.ch/blog/zero-day-exploit-targeting-popular-java-library-log4j/

CISA

The US government agency has put together a well-researched document that covers a lot of guidance

https://us-cert.cisa.gov/apache-log4j-vulnerability-guidance

They have also published a community-sourced list of affected vendors, products and patch availability:

https://github.com/cisagov/log4j-affected-db

Highlights:

Immediate actions to take against exploitation:

  • Discover all internet-facing assets that allow data inputs and use Log4j Java library anywhere in the stack

  • Discover all assets that use the Log4j library.

  • Update or isolate affected assets.

  • Assume compromise, identify common post-exploit sources and activity, and hunt for signs of malicious activity.

  • Monitor for odd traffic patterns (e.g., JNDI LDAP/RMI outbound traffic, DMZ systems initiating outbound connections).

Microsoft

Microsoft has also put together excellent guidance and how their customers can use their products to their advantage. They provide updates from their threat intelligence teams as well.

https://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation/

AWS

AWS similar to Microsoft has also produced extensive guidance and how you can use their products and services to protect your organisation.

https://aws.amazon.com/blogs/security/using-aws-security-services-to-protect-against-detect-and-respond-to-the-log4j-vulnerability/

Apache

Apache project has a dedicated page with more details on the three vulnerabilities that have affected the Log4J library.

Apache Log4j Security Vulnerabilities webpage

NCSC UK

National Cyber Security Center has written up an excellent document targeting board directors which can be helpful if you are fielding questions from the board.

https://ncsc.gov.uk/blog-post/log4j-vulnerability-what-should-boards-be-asking…

Twitter

Twitter has a very active cybersecurity community so it's good to keep tabs on the following hashtags if you can:

#log4j

#log4jshell

Log4J Scanner

There are a few scanners that have been created to scan for vulnerable log4j applications.

One of them is:

https://github.com/fullhunt/log4j-scan

WAF

You might have deployed a Web Application Firewall to protect your externally facing applications.

However, there have been documented ways to bypass the WAF and still exploit the vulnerability.

https://gist.github.com/ZephrFish/32249cae56693c1e5484888267d07d39

Our Company

Want to know more about how we help small and medium enterprise IT leaders improve their organisation's cybersecurity?

Then check out our services.

48 views0 comments