Log4j Update

Updated advice for Log4J(20/12/2021) 

Over the weekend another 2 vulnerabilities have been released for the latest patched version of Apache Log4J 2.16 and unaffected version of 1.2. It is recommended to patch to the latest version of Log4J to 2.17 or can be mitigated by changing the configuration to Apache’s advice (https://logging.apache.org/log4j/2.x/security.html).  

Information of each vulnerability is below –  

CVE-2021-45105 (CVSS score: 7.5) - A denial-of-service vulnerability affecting Log4j versions from 2.0-beta9 to 2.16.0 (Fixed in version 2.17.0) 

CVE-2021-4104 (CVSS score: 8.1) - An untrusted deserialization flaw only affecting Log4j version 1.2 (No fix available; Upgrade to version 2.17.0) 

Please reach out if you need any additional information or ongoing support around this.

On Friday 10th December 2021 a vulnerability was discovered in the popular Java extension Log4j.

Log4j was a library used in the vast majority of Java applications for logging, such as big names like Minecraft and VMware.

When the Log4j library receives or process a 'malicious payload', it can reach out to an attacker-controlled server, to download instructions on the next steps.

In most situations, this could lead to the disclosure of sensitive data such as API keys, but in some scenarios can lead to the compromise of an entire asset or assets, in an attack known as Remote Code Execution (RCE).

Solution

Sadly, although the fix is easy, it might not be simple; An updated version of the Log4j library has been released (version 2.16 or greater), which deploys a mitigation for this attack; However, Log4j may be built into many of the applications you use daily, without your knowledge.

What steps can I take?

Unfortunately, it could take days, weeks or months for suppliers repackaging their applications to include the updated Log4j release into their software products, but the good news is that there are steps you can take now to mitigate the risk:

1) Identify your internet facing assets

2) Scan the inside and outside of your organisation, to identify any assets know to contain this vulnerability (WB already doing this).

3) Identify software, Commercial of the Shelf (CoTS), Open Source, or Custom Developed that use the Log4j library, ensure these are all updated ASAP

4) Ensure all updates and patches are installed ASAP after release

5) Minimise inputs from external or untrusted sources and these could be the key to a 'malicious payload' getting into your organisation.

This might be ‘contact us’ forms, live chats, emails, log collection, threat intelligence feeds, etc.

Reach out for Support

We know this can be a worrying time but we are here to support you with any cyber security queries you may have. You can get in touch at info@wolfberrycs.com or for more resource to support you please see wolfberrycs.com