Apache is one of the 5 most popular web servers utilized on the Internet and threat actors are actively looking to exploit a new zero-day vulnerability in its Java-based Log4j logging framework. The ubiquitous, open-source Apache framework is used by developers to keep a record of activity within an application. While most consumer applications have moved away from Java, there are still countless enterprise applications and cloud services where Java is heavily utilized and threat actors are actively scanning the Internet for affected systems.
Exploit Code Already Published
So what’s really at stake here? Vulnerability details have been documented as CVE-2021-44228 and highlight that an attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. An attacker can exploit the vulnerability and send malicious code that gets logged by Log4j version 2.0 or higher. The exploit lets the attacker load arbitrary Java code on a server, allowing them to take control. Some third parties have already published samples of exploitation on Github that illustrate the breadth of vulnerable applications.
Active Exploitation Already Underway—Assess Your Risk Now
This vulnerability can have a wide-ranging impact on any enterprise as Apache is incorporated in a large number of applications and services across the enterprise. The challenge here is that affected systems can run the gamut of standard off-the-shelf software as well as custom applications, so the impact can be far-reaching. Apache has released Log4j 2.15.0 to address the vulnerability, so it is imperative that enterprises quickly evaluate their environment to understand what systems are vulnerable and remediate those systems.
What Security Teams Should Do
Security teams need to take a defense-in-depth approach to address this critical vulnerability and take the following steps immediately. Starting with scanning the entire environment to find all applications that are vulnerable to the Log4j vulnerability. Once those applications are identified, it is important to apply the Log4j2.15.0 update which addresses the specific flaw. In order to protect against any potential exploitation in your cloud environment, it is important to also apply updated rules to your WAF, so that there is no opportunity for exploitation of these assets while patching is in the process of being finalized.
Armis Can Help
Armis researchers analyzed the vulnerability and developed queries through the powerful Armis Standard Query (ASQ) tool, which quickly identifies active attempts to exploit the flaw so that you may isolate or quarantine vulnerable systems and initiate patching efforts.
For more information and to take a free Log4J Risk Assessment, visit our Log4j Resource Center