Log4j - What You Need to Know
December 15, 2021
Over the past week a new vulnerability has been escalated within the industry. The vulnerability is in a Java library called Log4j, often used in devices running Apache. It is utilized in web servers, network gear, appliances, and IoT devices. Manufacturers are investigating exposure and developing patches.
If you have Apache devices exposed to the internet, remediation should be investigated as soon as possible. Microsoft has released statements that they observe widespread exploit queries hitting any internet-facing devices with open inbound web ports. Much of this traffic comes from botnets which are actively exploiting the flaw. Evidence has been shown that the flaw was being exploited as early 12/2.
- Vulnerability scanners - If you run vulnerability scanners, investigate whether they detect Log4j vulnerabilities and run scans against both external and internal endpoints.
- Cisco has developed IDS signatures for Snort to identify traffic patterns.
- Open source tools have been developed to manually check for the flaw.
- Public-facing ports should be evaluated, closed, and remediated ASAP.
- WAF vendors are developing or have released rules to block exploit queries.
- Cisco and VMWare have released patches for several products.
- Some devices require manual steps to remediate or mitigate. For example: Apache on Windows can be fixed with an environment variable.
for an exhaustive list of known software that's vulnerable to Log4j.
CAIT can consult with your teams to identify, mitigate, and remediate vulnerabilities like Log4j, or implement products which proactively reduce these types of risks.