Digital Risk

High Severity Threat Bulletin: Apache Log4J/Log4Shell

Mike Harris
By:
Contents

Active Threat Campaigns

A current and expanded active threat campaign is targeting organisational infrastructures to determine the presence and future exploitation potential resulting from this weakness.  Threat intelligence has additionally detected ongoing threat actor exploitations including: exfiltration of data, malware installation, crypto-miner deployment, ransomware, participation in bot nets, and taking control of the affected resources by planting back-door access tools for future use.

Grant Thornton is advising clients to activate response and remediation teams in advance of the upcoming Christmas holiday season to rapidly detect, remediate and mitigate risks associated. As this is a developing situation, additional details are forthcoming.

Background

Apache on December 9th disclosed details of the vulnerability (CVE-2021-44228) and again on December 14th (CVE-2021-45046) following discovery of incomplete patches for affected and supported products. Log4shell is an Unauthenticated Remote Code Execution (RCE) vulnerability that facilitates control of resources utilising Log4j versions from 2.0-beta9 through 2.12.1 and 2.13.0 through 2.15.0.  Log4j is a logging component of Apache widely reused in multiple java-based vendor software as is likely to exist within clients’ utilised technologies. All systems, including those that are not internet facing, are potentially vulnerable.

Remediation & Mitigation

Remediation:

Java 8 (or later) users should upgrade to Apache release 2.16.0.

Users requiring Java 7 should upgrade to Apache release 2.12.2.

Apache Mitigations:

If patches cannot be deployed remove the JndiLookup class from the classpath: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class

SOC Awareness:

Enumerate any external facing devices that have log4j installed.

Make sure that your security operations center is responding to each alert on the devices that fall into the category above.

Install a web application firewall (WAF) with rules to prevent Log4j headers, body, and URLs

Sources:

https://logging.apache.org/log4j/2.x/security.html

https://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation/

https://www.bleepingcomputer.com/news/security/log4j-list-of-vulnerable-products-and-vendor-advisories/

https://www.cisa.gov/uscert/apache-log4j-vulnerability-guidance