Critical Vulnerability Alert: Log4j
This page will be updated as additional information is released.
Last Updated: December 20, 12:00pm EST
On December 10, National Institute of Standards and Technology (NIST) issued a Common Vulnerabilities and Exposures (CVE) for a vulnerability in Log4j. This vulnerability when exploited can lead to the attacker having the ability to run code remotely. This vulnerability is even more critical because there are active exploits available and being run across the Internet, including mass scans for vulnerable systems. The vulnerability is being tracked with NIST CVE-2021-44228.
Log4j is a Java framework/package that is used to help with application logging of Java applications. By using this framework, you can output log messages from the Java application without changing the application’s binary package. This allows for easier logging and especially debugging of Java applications. It is used widely in both open source and commercial web interfaces and applications. This widespread use contributes to the severity of this vulnerability. It is important to note that many of the logs that Log4j is processing are application-specific (in many cases debug) logs and so they are probably not being sent to security intelligence event management (SIEM) systems.
Since the announcement of the CVE, Apache has released multiple patches to address the vulnerability directly. Many applications have also released an updated version to address the vulnerability in their specific products. You can see the list below of the resources that Nexum is putting together to help you find any systems that may be affected. In addition, the Nexum SNOCC is working directly with our managed services customers to help them detect and block remote exploits.
US NIST – https://nvd.nist.gov/vuln/detail/CVE-2021-44228
US CISA – https://www.cisa.gov/uscert/apache-log4j-vulnerability-guidance
Palo’s Unit42 – https://unit42.paloaltonetworks.com/apache-log4j-vulnerability-cve-2021-44228/
GitHub Scanner Repo – https://gist.github.com/Neo23x0/e4c8b03ff8cdf1fa63b7d15db6e3860b
Nexum Technology Partner Responses
Palo Alto Networks – https://security.paloaltonetworks.com/CVE-2021-44228
F5 – https://www.f5.com/company/blog/protection-against-apache-log4j2-vulnerability
Check Point – https://www.checkpoint.com/latest-cyber-attacks/critical-vulnerability-in-apache-log4j
Forescout – https://www.forescout.com/blog/forescout%E2%80%99s-response-to-cve-2021-44228-apache-log4j-2/
ExtraHop – https://www.extrahop.com/company/blog/2021/log4j-security-exploit/
Malwarebytes – https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/12/log4j-zero-day-log4shell-arrives-just-in-time-to-ruin-your-weekend
Fortinet – https://www.fortiguard.com/outbreak-alert/log4j2-vulnerability
Aruba – https://www.arubanetworks.com/website/techdocs/sdwan/docs/advisories/media/security_advisory_notice_apache_log4j2_cve_2021_44228.pdf
Cloudflare – https://blog.cloudflare.com/cve-2021-44228-log4j-rce-0-day-mitigation/
Cisco – https://tools.cisco.com/security/center/resources/prod_svc_info_log4j.html
Tenable – https://www.tenable.com/cve/CVE-2021-44228
Splunk – https://www.splunk.com/en_us/blog/bulletins/splunk-security-advisory-for-apache-log4j-cve-2021-44228.html
Juniper – https://blogs.juniper.net/en-us/security/apache-log4j-vulnerability-cve-2021-44228-raises-widespread-concerns
Aviatrix – https://aviatrix.com/resources/solution-briefs/aviatrix-log4j-vulnerability-assessment-techbrief