Important Apache Log4j2 Security Vulnerability
The open-source Apache library Log4j is subject to a significant security vulnerability, which became widely publicized and actively exploited beginning Friday, December 10. As soon as we became aware of this, our technical engineering team began an investigation and analysis of the use of Log4j within various commercial products in the federal networks.
A flaw in Log4j, a Java library for logging error messages in applications, is the most high-profile security vulnerability on the internet right now and comes with a severity score of 10 out of 10.
Log4J is a widely used Java library for logging error messages in applications. It is used in enterprise software applications, including those custom applications developed in-house by businesses, and forms part of many cloud computing services. The software library is developed by the open-source Apache Software Foundation and is a key Java-logging framework.
If left unpatched, the bug in the Java-logging library Apache Log4j could be used by cyber attackers to take over computer servers, potentially putting everything from consumer electronics to government and corporate systems at risk of a cyberattack.
CISA had detected more than 1.8 million attempts to exploit the bug in the days since it became public, with over 46 percent of those coming from known malicious groups.
If exploited, the vulnerability could allow an attacker to take control of Java-based web servers and launch remote-code execution attacks, which could give them control of the computer servers. That could open up a host of security-compromising possibilities.
Evidence has been found that the flaw is being used by tracked groups based in China, Iran, North Korea, and Turkey. Those include an Iran-based ransomware group, as well as other groups known for selling access to systems for the purpose of ransomware attacks. Those activities could lead to an increase in ransomware attacks down the road.
Vendors with popular products known to be still vulnerable include Atlassian, Amazon, Microsoft Azure, Cisco, Commvault, ESRI, Exact, Fortinet, JetBrains, Nelson, Nutanix, Oracle, Red Hat, Splunk, Soft, and VMware. The Log4j API is used in very common SCADA systems (GE Cimplicity, OSI Pi, Emerson Progea, and SIMATIC WinCC).
CISA’s main advice is to scan the network and identify internet-facing devices running Log4j and upgrade them to version 2.15.0, or to apply the patches provided by vendors “immediately”. But it also recommends setting up alerts for probes or attacks on devices running Log4j. Additional steps recommended by CISA include: enumerating any external-facing devices with Log4j installed; ensuring the security operations center actions every alert with Log4j installed; and installing a web application firewall (WAF) with rules to focus on Log4j.
At Intellectual Point, we have an array of solutions and training that will help scan your networks to identify software harboring the Log4j vulnerability and help you patch it in a timely fashion before the Dec 24, 2021 deadline. We bring you top vulnerability scanning tools such as Contrast Security for rapid scanning and detection of Log4j and rapid patching and remediation tools such as SentinelOne and Web Application Firewalls such as Fortinet that can block these Log4j exploits.