On December 10th, 2021, a serious flaw was discovered in the widely used Java logging library Apache Log4j. The vulnerability, ‘Log4Shell,’ was first identified by users of a popular Minecraft forum and was apparently disclosed to the Apache Foundation by Alibaba Cloud security researchers on Nov. 24, 2021. The vulnerability has the potential to allow unauthenticated remote code execution (RCE) on nearly any machine using Log4j.
Major tech players, including Amazon Web Services, Microsoft, Cisco, Google Cloud, and IBM have all found that at least some of their services were vulnerable and have been rushing to issue fixes and advise customers about how best to proceed. The exact extent of the exposure is still coming into view.
WHAT DEVICES AND APPLICATIONS ARE AT RISK?
Basically, any device that’s exposed to the internet is at risk if it’s running Apache Log4J, versions 2.0 to 2.14.1. NCSC notes that Log4j version 2 (Log4j2), the affected version, is included in Apache Struts2, Solr, Druid, Flink, and Swift frameworks.
Mirai, a botnet that targets all manner of Internet-connected (IoT) devices, has adopted an exploit for the flaw. Cisco and VMware have released patches for their affected products respectively.
NECESSARY ACTIONS: DEVICE DISCOVERY AND PATCHING
CISA’s main advice is to identify internet-facing devices running Log4j and upgrade them to version 2.17.0, or to apply the mitigations provided by vendors “immediately”. But it also recommends setting up alerts for probes or attacks on devices running Log4j.
1nteger is actively reviewing Internet-facing services to identify potential impact to our clients. If we identify potential vulnerable services, we will research the corrective action with the manufacturer and provide guidance on the recommended remediation. We have updated our vulnerability scanners to identify internal and external vulnerabilities.
1nteger ONE Clients
1nteger has been working since Thursday to identify IOCs (indicators of compromise) from leading threat intelligence feeds and the cyberthreat community. This information is being incorporated into the 1nteger ONE IPS appliances and SIEM alerts. Clients using Integer ONE managed services will also have endpoint vulnerability scans running to identify exposures as well active log collection and correlation to identify potential suspicious activity.
Our team is committed to providing you with the latest information about Log4J and keeping you protected. Thank you for being an 1nteger Client