Last week security organizations began tracking and responding to active and widespread exploitations of a new critical remote code execution vulnerability (CVE-2021-44228) affecting Apache Log4j software library, commonly referred to as “Log4Shell” and “Logjam”, versions 2.0-beta9 to 2.14.1. The Log4j library is used to log security and performance information.
This is a very dangerous vulnerability due to the widespread use of the Log4j library and the ease of exploitation.
This CVE has been given the maximum severity score (10.0) possible because (1) the Log4j library is broadly used in a wide range of consumer and enterprise services, websites, and applications, (2) the vulnerability allows an adversary full control over an exploited system, and (3) it is relatively easy to exploit the vulnerability.
According to CISA’s webpage specifically set up for this CVE, an adversary can exploit this vulnerability by submitting a specially crafted request that allows full control of the system. With full control of the system, the adversary can conduct malicious activity, of which stealing information and launching ransomware are two likely activities.
IntegraONE’s Incident Response team has been monitoring this vulnerability and noticed that volume of chatter on the dark web increased significantly over the weekend.
Because the Log4j library is used in many software products and services, the chances are high that companies use several affected products or services, making it difficult to identify all affected systems. It may take days or weeks for some vendors to supply information on the presence and nature of any vulnerabilities in their products and release patches that resolve those vulnerabilities. However, it’s important that all companies, big and small, take immediate action. The risk of experiencing an intrusion and data breach is extremely high.
Our recommendations for immediate actions are:
- Identify all software products and services using Log4j versions less than 2.15.0
- As possible, isolate vulnerable systems
- Update vulnerable systems as soon as patches become available
- Until patches are available, mitigate any vulnerabilities using instructions from Apache
- Check logs for any evidence of attack
NOTE: These links to resources outside of IntegraONE’s website are being provided as a convenience and for informational purposes only; they do not constitute an endorsement or an approval by IntegraONE of any of the products, services or opinions of the corporation or organization or individual. IntegraONE bears no responsibility for the accuracy, legality or content of the external site or for that of subsequent links. Contact the external site for answers to questions regarding its content.