On Thursday, December 9, 2021, a researcher with the Alibaba Cloud Security Team discovered and released (via tweet) sample code for a vulnerability in the Java-based Apache Log4j logging framework. We initially wrote about the vulnerability over the weekend, highlighting that it was already creating mayhem on enterprises around the world, and provided our recommendations for how security teams should respond. While this topic is being widely addressed across the Internet, I do wish to provide some additional perspective here. Apache, Java, and Log4j are EVERYWHERE. They’re embedded in standard off-the-shelf software, IoT devices, industrial devices, consumer devices & applications, assets managed by 3rd parties, appliances, custom applications and more. The impact is massive and far-reaching as it lurks in both obvious and not so obvious places. The challenge for most security teams is they typically don’t have visibility to everything in their environment. This is why it is essential to see everything so you can determine what assets are at risk.
Log4j is a remote code execution (RCE) vulnerability documented in CVE-2021-44228. It can be triggered by sending specially-written code to the vulnerable Log4j component. Exploits are small enough to fit into a tweet or chat message. Many examples are floating around the Internet. If an exploit is successful, it will give an unauthenticated attacker complete access to the targeted system. This is a critical, easily exploited, Internet-facing RCE that threat actors are actively exploiting. Armis has already seen and detected live exploits in our customer environments. This should come as no surprise as Apache and Java are used everywhere across the Internet and the vulnerability is easy to exploit.
On December 11, 2021, CISA Director Jen Easterly issued a statement urging immediate action to drive mitigation of this vulnerability and has now followed up by creating a webpage offering vulnerability guidance. This only serves to underscore the severity of the vulnerability as the ubiquitous nature of Apache makes this particularly troubling. Log4j versions released from September 21, 2013 to December 6, 2021 are all vulnerable. The significance here is that this library is so ubiquitous that it will likely take years to get rid of and in reality, a large long tail of assets may never get patched. What about the devices that are already shipped and in the supply chain that are not yet deployed? What happens when IoT devices that contain the vulnerability, currently sitting on your loading docks or in Amazon warehouses, get plugged into your network? Are you ready?
Armis recommends a structured defense in-depth response around the following areas:
Armis provides an extra layer of protection by providing a knowledgebase that can detect and respond to exploits, and thus protect assets that haven’t been or can’t be patched. Armis provides active asset management and security so you don’t have to wait for the problems to happen, you can manage them continuously.
For more information, please visit https://www.armis.com/log4j.
Sign up to receive the latest news