Day: January 3, 2022

We would like to make you aware of a critical and widespread unauthenticated Remote Code Execution (RCE) vulnerability involving Apache’s Log4j Java logging library.

Update – December 28th, 2021 (CVE-2021-44832)
On December 28th, Apache confirmed yet another vulnerability (CVE-2021-44832) that affects Log4j 2.0-beta7 to 2.17.0 (excluding 2.3.2 and 2.12.4). This is a new remote code execution vulnerability that requires an attacker to have permissions to modify the logging configuration file in order to be exploited. Apache has released Log4j 2.17.1 to fix this and previous vulnerabilities (CVE-2021-44228, CVE-2021-45046, CVE-2021-45105).

December 16th, 2021 (CVE-2021-45105)
On December 16th, Apache confirmed another vulnerability (CVE-2021-45105) that affects Log4j 2.0-alpha1 to 2.16.0 (excluding 2.12.3). It has been discovered that certain non-default configurations could allow attackers to perform a denial-of-service attack. Apache has released Log4j 2.17.0 to fix this and previous vulnerabilities associated with CVE-2021-44228 and CVE-2021-45046

SecurIT360 Managed Services Impact
According to FortiNET, FortiSIEM is listed as one of their applications that is impacted by Log4j.  We have followed the recommended mitigation steps across our FortiSIEM infrastructure.  Access to our FortiSIEM product externally is controlled by IP whitelisting, therefore only approved IP addresses can communicate with our environment by design. Their advisory page for this exploit is here for reference.
For Carbon Black, we use their cloud product and do not utilize any on-prem servers; therefore, it is not vulnerable to Log4j.  Their advisory page for this exploit is here for reference.

Detection of Vulnerable Log4j Versions

• You can still utilize these detection methods that have been published to GitHub by security researchers
• Nessus has released another updated plugin to help detect vulnerabilities associated with Log4j.  Our SOC analysts continue to run Nessus external vulnerability scans for all SecurIT360 MDR managed service clients as new plugins are released and will alert on successful findings.
  • So far, we have not detected any vulnerable versions via the external Nessus scans.  All scheduled routine external scans will continue to utilize this new plugin going forward.
  • An external scan is not enough, we do recommend utilizing the open-source tools mentioned above to detect all instances of Log4j in your environment.  Nessus plugins are also available for internal credentialed scans which can provide more thorough detection.
  • If you would like us to assist with Log4j detection utilizing Nessus Internal/External scanning please let us know and we can notify your account representative.
  • If you are a MDR managed client and would like us to update the external targets and rerun the scan or rerun the scan following a successful upgrade, please reach out via email to soc@securit360.com
• A community-maintained list of known IPs associated with this exploit can be found here
  • All SecurIT360 MDR managed service clients are receiving alerts on permitted web traffic involving these known IP addresses
• Hashes of vulnerable versions can also be found here for internal detection. Routine searches for these hashes are being conducted in Carbon Black across all SecurIT360 EDR managed service clients, we will alert on successful findings
  • All EDR managed service clients will be alerted to potential exploit activity if detected.

Recommended Mitigation Steps

• Identify all applications in your environment that use Log4j and follow vendor guidance
• Utilize open-source detection tools, Nessus, etc.
• Upgrade to version Log4j 2.17.1 or later as soon as possible.
• If upgrading is not feasible, we recommend following Apache’s mitigation guidance for Log4j 2.10 and later which can be found here
• Restrict egress traffic to approved destinations at your firewall
  • IP Whitelisting
  • Restrict the types of traffic going out such as LDAP
• Consider preemptively blocking known IPs associated with this exploit at your firewall
• CSV format
• TXT Format

Links

• CISA Apache Log4j Vulnerability Guidance – https://www.cisa.gov/uscert/apache-log4j-vulnerability-guidance
• CISA security advisory – https://www.cisa.gov/uscert/ncas/current-activity/2021/12/10/apache-releases-log4j-version-2150-address-critical-rce
• CVE-2021-44228 – https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228
• CVE-2021-45046 – https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046
• CVE-2021-45105 – https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45105
• CVE-2021-44832 – https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44832