log4g

Log4j Vulnerability Advisory

The recent Log4j exploit has resulted in an information deluge. We wanted to summarize general guidelines on identification and mitigation through our Trusted Partners in security. If you have any questions, please drop us a note, and we will try to reply to all inquiries.

What is Log4j vulnerability – Quick Read

Log4j is a Java library widely used as a logging framework in applications. The vulnerability (CVE-2021-44228) allows a threat actor to remotely execute a malicious payload in the vulnerable environment. This will become a precursor to a wide range of attacks that can be carried out using this remote code execution (RCE). This has been deemed highly critical.

Affected versions are –

  • Log4j v2.x – Log4j 2.x <= 2.15.0-rc1
  • Log4j v1.x – EOL and no longer supported

Investigative and Mitigation Actions –

  1. Identify – Identify devices and apps that may have been impacted with authenticated vulnerability scans. Licensed tools like Qualys, Nessus, Rapid7 and open-source tools like OpenVAS can be utilized.
  2. Isolate – The best approach is to isolate vulnerable Internet facing servers from the network, if feasible. Given the criticality of this vulnerability, Security should take precedence over availability.
  3. Secure – Secure the perimeter by update signatures on WAF’s and Next Gen Firewalls (NGFW) and configure alerts. This is a quick fix, but not a permanent solution.
  4. Monitor – Collect IOCs from different Threat Intelligence Feeds (AlienVault, Mandiant) and configure alerting for them on SIEM.
  5. Prioritize – SOC team should create and prioritize alerts as “Critical” for any devices attempting connections to known malicious IP or domain related to Log4j.
  6. Detect – Scan for Log4j files using EDR/MDR/XDR solutions deployed on the workloads
  7. Remediate –Patch the vulnerable library –
    1. Identify and prioritize patching the applications and servers at the earliest, starting with Internet facing apps and servers –
        Guidance from Apache –

      • Java 8 (or later) users should upgrade to release 2.16.0.
      • Users requiring Java 7 should upgrade to release 2.12.2
      • Otherwise, remove the JndiLookup class from the classpath:

        Note that only the Log4j-Core JAR file is impacted by this vulnerability. Applications using only the Log4j-API JAR file without the Log4j-Core JAR file are not impacted by this vulnerability.

    2. All hardware vendors have released updated versions of code for their devices (Cisco, IBM, EMC etc.). Upgrade these devices, starting with Internet facing devices.
  8. Anti-Phishing – Threat Intelligence agencies are reporting growing number of attacks using various methodologies, predominantly by phishing email campaigns. Updating anti-phishing signatures and blocking any IOC on email security tools is critical.
  9. User Awareness – High number of phishing attacks are being reported, user awareness is critical to minimize the impact.
log4g

Ask your Log4j vulnerability question here

Submit

Contact us

(*) Asterisk denotes mandatory fields

    You can also email us directly at info@persistent.com

    You can also email us directly at info@persistent.com