LOG4j Vulnerability: What You Need to Know to Protect Your Network
This week, cybersecurity and IT teams around the world are scrambling to protect their networks and data from the Apache Log4j vulnerability. This high-risk vulnerability, which has the potential to affect millions of Java-based applications, is being actively exploited, causing a full-blown, worldwide cybersecurity crisis.
Log4j is the most popular java logging library in the world. It’s embedded in almost every popular internet service or application, including Twitter, Amazon, Microsoft, Minecraft and more.
“Exploiting this vulnerability is simple and allows threat actors to control java-based web servers and launch remote code execution attacks,” says Kevin de Snayer, Director, Cyber Services at Calian.
Even as fixes emerge, researchers warn that the flaw could have serious repercussions worldwide. Described as a “design failure of catastrophic proportions,” by Free Wortley, CEO of data security platform LunaSec, in a Wired article, the biggest risk is the fact that many companies don’t know that they are affected.
The Big Deal About Log4j
Log4j is a logging framework used to record user activity and the behaviour of applications. Distributed free by the non-profit Apache Software Foundation, it has been downloaded millions of times and is among the most widely used tools to collect information across corporate computer networks, websites and applications.
The Apache Log4j remote code execution vulnerability is among the largest and most critical cyber risks in the world today.
How Critical is the Vulnerability?
“A critical vulnerability—CVE-2021-44228, also known as Log4Shell or LogJam—it’s rated with a maximum Base CVSS Score of 10,” says de Snayer. “With this vulnerability, a threat actor could perform remote code execution (RCE) by constructing a special data request packet and gain full control of the server.”
Who and What is Affected by the Log4j Vulnerability?
It’s likely that your company is using one or more of the affected products. “It’s critical that you review all externally exposed applications immediately and read the security bulletins to identify whether you are exposed and determine how to protect your data,” says Kees Pouw, Director, iSecurity, a Calian company that delivers enterprise solutions to manage cybersecurity risk.
How to Fix the Log4j Problem
Some patches and technical guidance are available, and the Apache organization has released multiple updates in recent days and advised upgrading to the latest version of the Log4j tool. But it’s highly recommended that companies also limit unnecessary outbound internet traffic, which will help to protect vulnerable systems.
Software companies are reaching out to their customers with patches and recommendations to upgrade software, as well as how to go about mitigating risk. The checklist at the bottom of this article outlines the steps that Calian and iSecurity are recommending customers take.
What Should You Do?
“Given the sheer volume of software product affected, we recommend that clients focus on identifying externally (Internet-facing) systems first,” says Pouw. These include web servers, firewalls, remote access servers and antivirus solutions.
Next, focus on critical infrastructure such as antivirus, routers and internal websites.
“It's a fluid situation, so you should continue to monitor security bulletins and updates for the next weeks and months as things will become clearer about the impact and fixes to this issue,” says Pouw.
While Nessus and other network-based vulnerability scanners do detect the vulnerability, no vulnerability scanning tool is perfect. Since this is a library that is indirectly used, relying on vendor updates is a more reliable approach.
NOTE: If you are unsure of how to address this threat, the safest option is to simply shut down your external-facing website until you have a full understanding of what you need to do.
Log4J Protection Checklist
Review critical and internet-facing software and apply vendor recommended fixes, keep monitoring for updates.
Apply good security perimeter practices, including:
- Deploy a next-generation firewall, with IPS and SSL offloading enabled.
- Deploy and tune a web application firewall.
- Block servers from initiating outbound connections. This prevents the LDAP call initiated by known exploits.
Check to see whether you have been compromised using one of the following tools:
Option #1 Yara
- Download the following rules: https://github.com/Neo23x0/signature-base/blob/master/yara/expl_log4j_cve_2021_44228.yar
- Download Yara scanner: https://github.com/VirusTotal/yara/releases/download/v4.1.3/yara-v4.1.3-1755-win64.zip
- ## add recursive
- yara -r expl_log4j_cve_2021_44228.yar
Option #2 Loki
Not everyone is a cyber expert. If, after reading this article, you are still unsure of what to do or how, reach out to Calian at https://www.calian.com/contact. We can help you move forward with confidence to mitigate the risks posed by this, and any other, cybersecurity threat.
décembre 9, 2022
Calian IT and Cyber Solutions once again listed on the Houston Business Journal’s 2022 Largest Houston-area Cybersecurity Companies List
Calian IT and Cyber Solutions (ITCS), a leading provider of IT and cybersecurity services for enterprises across the United States for the last 40 years, was again listed on the Houston Business Journal’s 2022 Largest Houston-area Cybersecurity Companies List - a fourth...
novembre 30, 2022
Calian Receives Cisco Regional Partner of the Year Award: TAO at Cisco Partner Summit 2022
At Cisco Partner Summit 2022, Calian was honored with the Cisco Regional Partner of the Year Award for its innovation, leadership and best practice as a Cisco business partner across Texas, Arkansas and Oklahoma.
novembre 3, 2022
In Case of Emergency… Have a Plan
When an emergency occurs, it’s too late to plan or rehearse the response. Fires, floods and other disasters don’t pause while you get ready to address them. Policies, plans and procedures for response must be in place long before they are needed.