Stratascale Threat Advisory: Everything You Need to Know About the Critical Apache Log4j Remote Code Execution Vulnerability

 In Cybersecurity

What is the Log4j vulnerability?

CVE-2021-44228, the critical vulnerability associated with Log4j, a Java-based logging utility widely used in commonly deployed enterprise systems, was publicly disclosed on December 9, 2021. If left undetected or unchecked, this vulnerability could impact several business-critical services and applications. Attackers have already begun actively scanning for and attempting to exploit the flaw with some level of success.

 

What problems/issues can CVE-2021-44228 cause to your business operations?

  • Remote Code Execution. Successful exploitation of CVE-2021-44228 allows attackers to deliver and run malicious system payloads like crypto-mining malware, or Cobalt Strike, a legitimate penetration testing tool that attackers use regularly to steal usernames and passwords that grant them further access to your systems.
  • Sensitive data leakage. If CVE-2021-44228 is exploited, attackers can also make LDAP queries for data including things such as AWS Access Keys and Secret Access Keys, which could lead to breach scenarios for your organization.

 

What some are industry best practices that can help protect you against attacks like CVE-2021-44228?

  • Update/Patch your systems immediately. Apply vendor-released updates as soon as possible to your operating systems, applications, and embedded systems (like network equipment) to mitigate vulnerabilities in your software and applications that could be susceptible to CVE-2021-44228.
  • Log4j version updates
    • Users of Log4j 2.10 or greater can add -Dlog4j.formatMsgNoLookups=true as a command-line option or add formatMsgNoLookups=true to a log4j2.component.properties file on the classpath to prevent lookups by attackers in log event messages.
    • Users since Log4j 2.7 may specify %m{nolookups} in the PatternLayout configuration to prevent lookups by attackers in log event messages.
  • Class removal. Organizations can remove the JndiLookup and JndiManager classes from the log4j-core jar (removal of the JndiManager will cause JndiContextSelector and JMSAppender to no longer function).
  • Review Indicators of Compromise (IOCs). Review the IOCs within your environment to confirm no active exploitation is or has taken place.
  • Employ vulnerability scans and asset management practices. Regularly perform vulnerability scans and asset management reviews to quickly identify any vulnerable systems. Any system that is identified as using Log4j should be audited to see if any vendor patches are available, or if the vendor has confirmed their tool is not vulnerable to CVE-2021-44228.

 

What Stratascale solutions and services are designed to help protect against vulnerabilities like CVE-2021-4228?

Stratascale offers several services designed to help protect against vulnerabilities like CVE-2021-44228.

  • ATLAS. ATLAS by Stratascale can help you monitor your attack surface for systems utilizing the Log4j application, and automatically notify you of anything that becomes exploitable. ATLAS offers validation services that can help confirm if your systems have been exploited or remediated, or if mitigations have been put in place, or if the detection tools you have in place can detect CVE-2021-44228 exploitation or scan attempts. Additionally, ATLAS also provides continuous automated red teaming services which can help identify other avenues of attack that are being leveraged by attackers as part of the current campaigns targeting Log4j.
  • Other services. In addition to ATLAS, Stratascale has the tools and experts needed to review systems for IOCs and any vulnerabilities in your environment.

 

What’s the one thing your organizations should do right now to protect against exposure to CVE-2021-44228?

  • Review all systems in your environment and verify they are not vulnerable. Trusting your vulnerability management scan data to detect systems that are vulnerable to CVE-2021-44228 is currently flawed because software and hardware vendors are still trying to find out if their products are vulnerable. Also, detection capabilities aren’t currently available for some systems (VMWare is an example).
  • Ensure you have detections in place. Make sure the detection capabilities of your SIEM and the protections from your EDR and IDS/IPS tools are up to date. Continue to proactively monitor the patch availability landscape of your vendors for announcements concerning their products.
  • Be prepared for emergency patching and validation activities. As more information about CVE-2021-44228 becomes available, it is important to maintain the flexibility needed to apply ad hoc emergency patches that don’t align to your scheduled patch deployment and validation calendar. The quicker you can apply and test these patches, the smaller your window of vulnerability to CVE-2021-44228 will be.