Experts Blog

Advisory on the Apache Log4j Library Vulnerability
Blue Team

On December 9, 2021, a remote code execution (RCE) vulnerability was announced for the popular Apache Log4j exposing some of the world's most popular applications and services to attack. Java is an industry standard used on many websites and applications, and the impact of this vulnerability could be severe to any business or organization. Your current systems and applications, older systems that may not be in frequent use, or your vendor’s systems all may be vulnerable at this time.

This library enables logging for many enterprise applications, has been in use for more than a decade, and is quite trivial to compromise. The vulnerability has been given the common vulnerability and exposures (CVE) designation CVE-2021-44228 and a criticality (CVSS) score of 10 out of 10.

This vulnerability is particularly troublesome due to three factors:

  1. Ubiquitous Use
  1. Ease of Compromise
  1. Exploit Mutations  

Ubiquitous Use

As stated above, the vulnerable library has been in production systems for many years, meaning it is embedded in legacy software in many organizations. Of concern is that there is no central repository for all the areas where this library is in use, making identification quite difficult.

Ease of Compromise

Several proof of concept (POC) demonstrations have shown how easy this vulnerability is to compromise. An unethical hacker simply needs to craft a payload to send to the vulnerable server, and when the payload is logged the exploit is detonated.

Exploit Mutations

We often tell organizations “log it all,” as you may need logs for forensics later. This means that log libraries are used to log many aspects of a server’s functionality. As organizations are capturing extensive logs, there have been over 50 mutations of this compromise already documented and exploits of this vulnerability have also already been documented by some of the largest organizations in the world.  

How to Protect Yourself Now:

Your emergency patch protocols should be invoked as many manufacturers and developers are updating their software to patch this vulnerability. For any software that cannot be patched, there are two options:

  1. Add a flag to the log4j2 configuration to disallow message lookups (This may impact logging)
  1. Take the system offline

Several security researchers have deemed this the biggest disclosed security vulnerability of 2021, and many are seeing exploits for this being attempted on a huge global level. As always, a multi-layered approach is best to deal with this vulnerability and those in the future including preparation, prevention, detection, and mitigation.

 

Fortalice is closely following findings and security best practices for recommended mitigation measures, and we are available to assist you in several ways including Incident Response, Threat Hunting, and Mitigation Verification.  

If you have any further questions on this vulnerability or need assistance with remediation, please contact us.

Resources:

https://www.cisa.gov/uscert/apache-log4j-vulnerability-guidance

https://nvd.nist.gov/vuln/detail/CVE-2021-44228

https://threatpost.com/apache-log4j-log4shell-mutations/176962/

https://blog.checkpoint.com/2021/12/11/protecting-against-cve-2021-44228-apache-log4j2-versions-2-14-1/