Log4j security vulnerabilities

What is log4j and how bad is the news?

On December 9, a new “remote code execution” vulnerability, also referred to as CVE-2021-44228 or Log4Shell, has been disclosed for Log4j. Log4j is by far the most popular piece of software used for logging purposes in applications built on Java. This is extremely problematic as Log4j is often part of internet facing services and software, so relatively easy to exploit remotely.

If attackers manage to successfully exploit this vulnerability on one of your servers, they gain the ability to potentially take full control of the system. Detection and exploitation of this vulnerability by malicious actors is already happening, since the exploitation software is publicly available.

On top of that, there was a second problem found, called CVE-2021-45046 where hackers could execute a DOS (Denial of Service) attack, making the server useless without breaking into the server.

• Code RED: How to deal with Log4Shell vulnerability? (blog article)
• Code rood bij IT-afdelingen: vrees voor nieuwe golf aan gijzelsoftware (De Tijd article in Dutch)

Am I impacted?

There are two ways to check whether or not your company has been impacted:

Manual verification
Verifying manually which versions of the software are installed on your servers. This can be a tedious endeavor, since the Log4j software can be part of software, so it can be hard to find.

Using a vulnerability management service or tool
With Vulnerability Management you can scan a server or service and uncover potential vulnerabilities, like Log4J. This can be done using network scanners are agents installed on servers.

• Vulnerability and Compliance Management (Cegeka solution)

What are solutions?

Fortunately, a patch has been released to fix the Log4j vulnerability. We advise to upgrade to version 2.17 to be protected against the vulnerability and DOS attack. However, patching does not guarantee that the server was not infected beforehand and the hacker is already inside.

Therefore, we strongly recommend installing Endpoint Detection & Response (EDR) as well in case:

1. Mitigation (patching) is delayed or impossible.
2. After the patching to check that there is no malicious activity happening on your infrastructure.

Endpoint Detection & Response is a strategic solution which can also protect for future vulnerabilities. We advise to go for a managed solution, since the EDR alarms need to be looked at 24x7, so attacks are contained immediately.

• Managed EDR (Cegeka solution)

I want to know more

Some technical links with (background) information:

• Technical details on the vulnerability
• Download Apache Log4j 2 patch
• Guidance for preventing, detecting, and hunting for CVE-2021-44228 Log4j 2 exploitation (Microsoft blog)
• Latest research and insights on Log4Shell (Tenable)
• Log4j2 Vulnerability: How to Mitigate CVE-2021-44228 (CrowdStrike blog)