Apache Log4j Vulnerability Update

A new remote code exploitation (RCE) vulnerability (CVE-2021-44228 / CVSS score 10.0) dubbed LogJam/Log4Shell hit the internet on Friday December 10th, 2021 that has security individuals extremely concerned, and for good reason. 

The vulnerable code is part of the Apache logging framework, which is an open source framework used by developers for logging purposes. The source of the vulnerability, Log4j, is a java library within the framework and is used to collect activity. Recent reports indicate the exploit may have started as early as December 1st, but there was no evidence of mass exploitation until the vulnerability went public. 

The vulnerability first gained notoriety through Microsofts’ Minecraft (the java-based client edition) where individuals were able to run malicious command through the in-game chat function.  Since then, the vulnerability has spread to all corners of the internet, including Steam, iCloud and various hardware-based and software-based applications.

As this vulnerability allows for RCE, the patches should be applied as soon as possible. A threat actor can take advantage of this vulnerability by simply sending java code to the device if it contains Log4j libraries. By crafting commands so that systems execute malicious code as they are logged by the Log4j libraries, they can potentially gain unauthorized remote control of these devices. 

As this java library is commonly utilized for logging purposes, any application which utilizes the library (versions 2.0 to 2.14.1)  is vulnerable to the RCE. If the service of the logging is externally facing, this only compounds on the problem. The vulnerability is fixed in the latest version (2.15), however this isn’t as easy of a fix for end users as it may initially seem. 

As the vulnerability stems from software built into the hardware and application-based software, an end-user IT department can only update the library if they own and manage the source code of the device/software. If the IT department does not manage it, they must wait for the vendor to release a patch or cease using the device/software.

For most organizations, the company must first:

  1. Ensure they are aware of all of their software (hardware and application-based software) in use
  2. Analyze those software pieces for potential vulnerable Log4j libraries
  3. Monitor the vendor’s patch releases for an update patch (if the software is vulnerable)
  4. Upon release of the update, apply emergency patches following your organizations emergency patch process.

A security researcher (SwitHak) created a GitHub repository of links to all major company announcements as it relates to Log4J. Using this repository, an IT team can quickly search through the vendors listed for the vendors disclosures as it relates to Log4j, to determine if the software is vulnerable and if so, if a patch has been released. The repository is available at https://gist.github.com/SwitHak/b66db3a06c2955a9cb71a8718970c592.

Cybersecurity and Infrastructure Security Agency (CISA) Director Jen Easterly released the following statement concerning the vulnerability early Saturday morning.

“CISA is working closely with our public and private sector partners to proactively address a critical vulnerability affecting products containing the Log4j software library. This vulnerability, which is being widely exploited by a growing set of threat actors, presents an urgent challenge to network defenders given its broad use. End users will be reliant on their vendors, and the vendor community must immediately identify, mitigate, and patch the wide array of products using this software.  Vendors should also be communicating with their customers to ensure end users know that their product contains this vulnerability and should prioritize software updates.” 

CISA recommends asset owners take three immediate steps as soon as possible:

  1. Enumerate any external facing devices that have Log4j installed.
  2. Make sure that your security operations center is actioning every single alert on the devices that fall into the category above.
  3. Install a web application firewall (WAF) with rules that automatically update so that your SOC is able to concentrate on fewer alerts.

The Schneider Downs cybersecurity team recommends starting this repository to check if any of your software is vulnerable and to act accordingly. 

If there is additional software in your organization that is not linked within this repository, we recommend checking with the vendor or analyzing the software to determine if it is potentially vulnerable, while focusing on any software or hardware that is externally facing first, and then moving inward in the environment.

Fortunately, detecting indicators of compromise can easily be done by looking for specific strings within the log files for Log4j. A quick check would be to search for any user-agent containing “${jndi” in the URL field with a 200 HTTP status code. For further detection, you can use these commands and rules to suit your needs.

This article is a continuation of our Apache Log4j Vulnerability series, available at https://www.schneiderdowns.com/our-thoughts-on/category/cybersecurity. We encourage you to share our article with your network and reach out with any questions at [email protected]

Apache Log4j CISA Resources

Apache Log4j Web Resources

Related Articles

About Schneider Downs Cybersecurity

The Schneider Downs cybersecurity practice consists of experts offering a comprehensive set of information technology security services, including penetration testing, intrusion prevention/detection review, ransomware security, vulnerability assessments and a robust digital forensics and incident response team. For more information, visit www.schneiderdowns.com/cybersecurity or contact the team at [email protected].

In addition, our Digital Forensics and Incident Response teams are available 24x7x365 at 1-800-993-8937 if you suspect or are experiencing a network incident of any kind.

Want to be in the know? Subscribe to our bi-weekly newsletter, Focus on Cybersecurity, at www.schneiderdowns.com/subscribe.

You’ve heard our thoughts… We’d like to hear yours

The Schneider Downs Our Thoughts On blog exists to create a dialogue on issues that are important to organizations and individuals. While we enjoy sharing our ideas and insights, we’re especially interested in what you may have to say. If you have a question or a comment about this article – or any article from the Our Thoughts On blog – we hope you’ll share it with us. After all, a dialogue is an exchange of ideas, and we’d like to hear from you. Email us at [email protected].

Material discussed is meant for informational purposes only, and it is not to be construed as investment, tax, or legal advice. Please note that individual situations can vary. Therefore, this information should be relied upon when coordinated with individual professional advice.

© 2022 Schneider Downs. All rights-reserved. All content on this site is property of Schneider Downs unless otherwise noted and should not be used without written permission.

our thoughts on
The Latest on the Uber Hack
Student Loan Forgiveness Scams on the Rise
Callback Phishing Attacks Increase 625% in Q2 2022
Automotive Dealerships and the FTC Safeguards Rule Deadline: Is Your Information Security Program Compliant?
Slack Leaked User Passwords For 5 Years
Complexities with Funding for Start-Ups
Register to receive our weekly newsletter with our most recent columns and insights.
Have a question? Ask us!

We’d love to hear from you. Drop us a note, and we’ll respond to you as quickly as possible.

Ask us
contact us

This site uses cookies to ensure that we give you the best user experience. Cookies assist in navigation, analyzing traffic and in our marketing efforts as described in our Privacy Policy.

×