Log4j continues to disrupt global festive season change freezes.
On Friday (10 December 2021), NIST announced a remote code execution vulnerability (CVE-2021-44228) https://nvd.nist.gov/vuln/detail/CVE-2021-44228 in the Apache log4j project. Log4j is one of the pervasive, open-source building blocks that applications across your infrastructure use for logging.
The vulnerability is of critical severity as it can be exploited to execute arbitrary code within your network and NIST reflect this with a 10/10 under the Common Vulnerability Scoring System v3.
The key timelines:
- Vulnerability identified on 24 November 2021.
- Critical Vulnerability reported on 26 November.
- Apache project released v2.15 as first remediation attempt on 6 December.
- The security researcher announced the vulnerability at 1:25am (AEDT) Friday 10 December.
- First exploit attempt in our MDR customers at 12:51pm (blocked by web application firewall).
- NZ CERT announce active exploits being observed @ 9:30pm Friday 10 December.
- NIST announce a second vulnerability (2021-45406) on Tuesday 14 December.
- Apache project released v2.16 in response on the same day.
Brace168 follows industry recognised detection and response methodology and incident response practice.
To avoid confusion and undue panic, Brace168 has conducted a series of tests and investigations of this CVE, which as a result has presented the following triaged findings:
Brace168 SOC Security Analysts have:
- Assessed the exposure across our internal systems, to which there was not any adverse findings;
- Any of Brace168 managed customers, which there was not any adverse findings;
- Provided remediation assistance for the vulnerable systems that were identified in our customer base, and;
- Implemented rules in our SIEM to identify attempted exploits.
To prevent exploitation of this vulnerability we advise our customer to urgently:
- Assess the vulnerability across their entire infrastructure using an updated vulnerability detection tool such as Tenable or Rapid7 in conjunction with the contextual understanding of systems and environment;
- Apply one or more of the following actions to contain the vulnerability:
- Apply the latest patch to log4j;
- Disable the Java Naming Directory Interface (JNDI) lookup with configuration for systems that can’t be upgraded;
- Apply web application firewall (WAF) rules for defence in depth, and;
- Communicate the urgency of this vulnerability to suppliers and partners, to minimise any potential threat to your supply chain.
Brace168 continues to monitor this critical vulnerability across our systems and those of our customers, if there are any material changes, we will advise our customer base in a timely manner.
In the meantime, if you have any concerns regarding this highly rated CVE please contact Brace168 SOC or account management if we can help in identification of this exploit and remediation efforts.