LOG4j Vulnerability: What You Need to Know to Protect Your Network
This week, cybersecurity and IT teams around the world are scrambling to protect their networks and data from the Apache Log4j vulnerability. This high-risk vulnerability, which has the potential to affect millions of Java-based applications, is being actively exploited, causing a full-blown, worldwide cybersecurity crisis.
Log4j is the most popular java logging library in the world. It’s embedded in almost every popular internet service or application, including Twitter, Amazon, Microsoft, Minecraft and more.
“Exploiting this vulnerability is simple and allows threat actors to control java-based web servers and launch remote code execution attacks,” says Kevin de Snayer, Director, Cyber Services at Calian.
Even as fixes emerge, researchers warn that the flaw could have serious repercussions worldwide. Described as a “design failure of catastrophic proportions,” by Free Wortley, CEO of data security platform LunaSec, in a Wired article, the biggest risk is the fact that many companies don’t know that they are affected.
The Big Deal About Log4j
Log4j is a logging framework used to record user activity and the behaviour of applications. Distributed free by the non-profit Apache Software Foundation, it has been downloaded millions of times and is among the most widely used tools to collect information across corporate computer networks, websites and applications.
The Apache Log4j remote code execution vulnerability is among the largest and most critical cyber risks in the world today.
How Critical is the Vulnerability?
“A critical vulnerability—CVE-2021-44228, also known as Log4Shell or LogJam—it’s rated with a maximum Base CVSS Score of 10,” says de Snayer. “With this vulnerability, a threat actor could perform remote code execution (RCE) by constructing a special data request packet and gain full control of the server.”
Who and What is Affected by the Log4j Vulnerability?
It’s likely that your company is using one or more of the affected products. “It’s critical that you review all externally exposed applications immediately and read the security bulletins to identify whether you are exposed and determine how to protect your data,” says Kees Pouw, Director, iSecurity, a Calian company that delivers enterprise solutions to manage cybersecurity risk.
How to Fix the Log4j Problem
Some patches and technical guidance are available, and the Apache organization has released multiple updates in recent days and advised upgrading to the latest version of the Log4j tool. But it’s highly recommended that companies also limit unnecessary outbound internet traffic, which will help to protect vulnerable systems.
Software companies are reaching out to their customers with patches and recommendations to upgrade software, as well as how to go about mitigating risk. The checklist at the bottom of this article outlines the steps that Calian and iSecurity are recommending customers take.
What Should You Do?
“Given the sheer volume of software product affected, we recommend that clients focus on identifying externally (Internet-facing) systems first,” says Pouw. These include web servers, firewalls, remote access servers and antivirus solutions.
Next, focus on critical infrastructure such as antivirus, routers and internal websites.
“It's a fluid situation, so you should continue to monitor security bulletins and updates for the next weeks and months as things will become clearer about the impact and fixes to this issue,” says Pouw.
While Nessus and other network-based vulnerability scanners do detect the vulnerability, no vulnerability scanning tool is perfect. Since this is a library that is indirectly used, relying on vendor updates is a more reliable approach.
NOTE: If you are unsure of how to address this threat, the safest option is to simply shut down your external-facing website until you have a full understanding of what you need to do.
Log4J Protection Checklist
Review critical and internet-facing software and apply vendor recommended fixes, keep monitoring for updates.
Apply good security perimeter practices, including:
- Deploy a next-generation firewall, with IPS and SSL offloading enabled.
- Deploy and tune a web application firewall.
- Block servers from initiating outbound connections. This prevents the LDAP call initiated by known exploits.
Check to see whether you have been compromised using one of the following tools:
Option #1 Yara
- Download the following rules: https://github.com/Neo23x0/signature-base/blob/master/yara/expl_log4j_cve_2021_44228.yar
- Download Yara scanner: https://github.com/VirusTotal/yara/releases/download/v4.1.3/yara-v4.1.3-1755-win64.zip
- ## add recursive
- yara -r expl_log4j_cve_2021_44228.yar
Option #2 Loki
Not everyone is a cyber expert. If, after reading this article, you are still unsure of what to do or how, reach out to Calian at https://www.calian.com/contact. We can help you move forward with confidence to mitigate the risks posed by this, and any other, cybersecurity threat.
septembre 7, 2023
#FacesOfCalian: Oscar Morales
Get to know the Calian team with our Faces of Calian series!
août 1, 2023
Google fait appel à iSecurity, une entreprise de Calian, pour procéder à des évaluations de Google Cloud
La récente décision de Google de faire appel à iSecurity, une entreprise de Calian, pour procéder à une évaluation complète des répercussions sur la vie privée et à une évaluation des risques et des menaces pour les services de Google Cloud au...
mai 26, 2023
Meet the Experts - Kevin de Snayer
In today’s edition of Meet the Experts, we have an interview with Kevin de Snayer, Director of Cyber Solutions, IT & Cyber Solutions, Calian.