This article was written by Andrew Parks & James Merritt.
Apache Log4j is an open-source library that is utilized by applications to facilitate logging requests. On December 9th, 2021 a vulnerability was reported (CVE-2021-44228 from the National Vulnerability Database) that impacts applications leveraging Apache Log4j versions 2.14.1 and below. The identified vulnerability can allow malicious actors to perform remote code executions. This is performed by utilizing the Java Naming and Directory Interface (JNDI) to send a specially crafted Uniform Resource Identifier (URI) requests that can cause the application to execute arbitrary code.
The Cybersecurity & Infrastructure Security Agency (CISA) has released an Apache Log4j Vulnerability Guidance post (Link Below) that details steps both vendors and organizations should take to limit the risk of their environments being impacted by the Apache Log4j vulnerability.
FoxPointe Solutions have reviewed and modeled our recommendations after the CISA guidance document. FoxPointe Solutions recommends the following steps for all companies to limit the risk of your environment being impacted by the Apache Log4j vulnerability:
- Reach out to your vendors to identify vulnerable systems and request update timelines.
- Patch all systems immediately that are affected by the Log4j Vulnerability.
- For internally developed systems, update any Apache Log4j library to the latest available version.
- The latest version has remediated the vulnerability.
- If that is not immediately possible, companies should set the setting of “No Lookups property (log4j2.formatMsgNoLookups)” to “true” until they can update. (Reference)
- Monitor lists of vulnerable devices to compare with your environment (Link Here)
- As a note, these lists are constantly changing and not all inclusive currently.
- External scans of environment are encouraged with updated scan signatures to identify the vulnerability to your environment.
- Ensure your scan tool has the following vulnerability ID in the signatures: CVE-2021-44228.
- Configuring WAF rules to identify and block Apache Log4j attempts (as discussed in the CISA guidance).
- SOC alert rules are also recommended to identify remote code execution on public systems (as discussed in the CISA guidance)
Additional information and recommendations can be found here: https://www.cisa.gov/uscert/apache-log4j-vulnerability-guidance
FoxPointe Solutions is Here to Help
To learn more about how to protect your business and how FoxPointe Solutions can help, contact us today.