The Long Tail Matters with Apache Log4j

On Thursday, December 9, 2021, a researcher with the Alibaba Cloud Security Team discovered and released (via tweet) sample code for a vulnerability in the Java-based Apache Log4j logging framework. We initially wrote about the vulnerability over the weekend, highlighting that it was already creating mayhem on enterprises around the world, and provided our recommendations for how security teams should respond. While this topic is being widely addressed across the Internet, I do wish to provide some additional perspective here. Apache, Java, and Log4j are EVERYWHERE. They’re embedded in standard off-the-shelf software, IoT devices, industrial devices, consumer devices & applications, assets managed by 3^rd parties, appliances, custom applications and more. The impact is massive and far-reaching as it lurks in both obvious and not so obvious places. The challenge for most security teams is they typically don’t have visibility to everything in their environment. This is why it is essential to see everything so you can determine what assets are at risk.

What We Know

Log4j is a remote code execution (RCE) vulnerability documented in CVE-2021-44228. It can be triggered by sending specially-written code to the vulnerable Log4j component. Exploits are small enough to fit into a tweet or chat message.  Many examples are floating around the Internet. If an exploit is successful, it will give an unauthenticated attacker complete access to the targeted system. This is a critical, easily exploited, Internet-facing RCE that threat actors are actively exploiting. Armis has already seen and detected live exploits in our customer environments. This should come as no surprise as Apache and Java are used everywhere across the Internet and the vulnerability is easy to exploit.

The Long Tail Matters

On December 11, 2021, CISA Director Jen Easterly issued a statement urging immediate action to drive mitigation of this vulnerability and has now followed up by creating a webpage offering vulnerability guidance. This only serves to underscore the severity of the vulnerability as the ubiquitous nature of Apache makes this particularly troubling. Log4j versions released from September 21, 2013 to December 6, 2021 are all vulnerable. The significance here is that this library is so ubiquitous that it will likely take years to get rid of and in reality, a large long tail of assets may never get patched. What about the devices that are already shipped and in the supply chain that are not yet deployed? What happens when IoT devices that contain the vulnerability, currently sitting on your loading docks or in Amazon warehouses, get plugged into your network? Are you ready?

Armis Is Ready to Help

Armis recommends a structured defense in-depth response around the following areas:

• Asset Visibility – Do I have an accurate inventory of everything in my environment that is running Apache/Java and using Log4j? Armis sees and identifies every asset for 100% complete visibility: across IT/OT/IoT/IoMT managed and unmanaged assets, both on the network and in the cloud.
• Risk Assessment – What devices in my environment are vulnerable or need to be assessed further to confirm potential exposure? Armis can help you map out the devices in your environment running Apache and/or Java and other applications, identify the specific devices requiring further review (e.g. confirming exact software versions), and hone in on specific configurations or deployments that are potentially impacted by such exposures.
• Threat Assessment – Am I currently experiencing active exploitation attempts or has a malicious threat actor already successfully exploited the vulnerability in my environment? Armis researchers have analyzed the vulnerability and developed queries that will quickly identify active attempts to exploit the flaw so that you may isolate or quarantine vulnerable systems and initiate patching efforts.
• Protect Your Environment – What can I do to manage my risk and reduce my exposure? Isolate or quarantine vulnerable systems and initiate patching efforts. Activate active asset management and security so you don’t have to wait for the problems to happen, you can manage them continuously. Armis easily integrates with your existing security and management tools, provides an extra layer of protection of an extensive knowledgebase that can detect and respond to exploits, and thus protects assets that haven’t been or can’t be patched.
• Empower Actions to Minimize Business Impact – What business services, solutions or critical infrastructure could be impacted if the vulnerability is exploited, or have been experienced as a result of an active impact? Armis IP connection mapping provides insights into the breadth of the business impact by illustrating in a visual map which assets are communicating with other assets that may be compromised.

Armis provides an extra layer of protection by providing a knowledgebase that can detect and respond to exploits, and thus protect assets that haven’t been or can’t be patched. Armis provides active asset management and security so you don’t have to wait for the problems to happen, you can manage them continuously.

For more information, please visit https://www.armis.com/log4j.