This article, while hastily written, will be as brief as possible with regard to log4j /log4shell. We’ve been updating our newsletter subscribers about it shortly after it the Minecraft exploitation. To subscribe to the newsletter for cyber security and intelligence news, tips, tricks, and tool here’s the sign-up link https://bsquaredintel.com/newsletter-signup/
Software vulnerabilities
log4j: A logging service developed by the Apache Software Foundation. Used for logging events in applications
- Assigned CVEs: CVE-2021-44228,CVE-2021-45046, CVE-2021-45105, CVE-2021-44832
- Apache Log4j security bulletins: https://logging.apache.org/log4j/2.x/security.html#CVE-2021-45105
Java: Programming language developed by Oracle. Specific to the log4j vulnerability is JNDI. The Java Naming and Directory Interface (JNDI) and how it interacts with LDAP (Lightweight Directory Access Protocol) an authentication method and a service to access data.
Date of exploitation
December 9th, 2021. Most notable of systems that were first exploited were servers used to run the popular game Minecraft.
Impact of leaving systems unpatched
Attackers have the ability to run arbitrary code. Plainly, they have access to the whole system. This can lead to the installation of malware or the exfiltration of data.
How many systems are affected?
According to the Cybersecurity and Infrastructure Security Agency (CISA), they estimate hundreds of millions devices are affected.
If you’re a developer or you have installed log4j for other reasons on your systems
- Update to the most recent version of log4j https://logging.apache.org/log4j/2.x/download.html. Also make sure your version of Java is up to date https://www.oracle.com/java/
- Conduct a vulnerability assessment of your environment and update any affected software. We’ll link to resources near the end of this article.
- Reach out to your vendors and service providers to see if they’ve been affected and what their status is on having things patched up
If you’re a business who doesn’t do application development and/or haven’t installed log4j directly in your environment
- Conduct a vulnerability assessment of your environment and update any affected software. We’ll link to resources near the end of this article.
- Reach out to your vendors and service providers to see if they’ve been affected and what their status is on having things patched up.
If you’re just a consumer
- Make sure all of the applications you have installed on your devices are up to date. Equally important, contact vendors that you do business with and ask if they’ve been affected by the log4j vulnerability and what they’re doing to address the issue. Good places to start are your banks, insurance companies, financial investments, accountants, attorneys, healthcare providers and health insurance, schools/universities, municipalities, online shopping platforms, streaming service and anywhere else you provided sensitive data (SSNs, payment card data, financial data, health related data, IDs, usernames/passwords, etc.)
- Check out some of our resources we’re listing below too. There may be some software that you do use. It will be in the GitHub list from CISA.
Legal issues
The Federal Trade Commission on January 4th, 2022 issued a warning to businesses in the United States to patch Log4j. In their statement, they state:
When vulnerabilities are discovered and exploited, it risks a loss or breach of personal information, financial loss, and other irreversible harms. The duty to take reasonable steps to mitigate known software vulnerabilities implicates laws including, among others, the Federal Trade Commission Act and the Gramm Leach Bliley Act. It is critical that companies and their vendors relying on Log4j act now, in order to reduce the likelihood of harm to consumers, and to avoid FTC legal action. According to the complaint in Equifax, a failure to patch a known vulnerability irreversibly exposed the personal information of 147 million consumers. Equifax agreed to pay $700 million to settle actions by the Federal Trade Commission, the Consumer Financial Protection Bureau, and all fifty states. The FTC intends to use its full legal authority to pursue companies that fail to take reasonable steps to protect consumer data from exposure as a result of Log4j, or similar known vulnerabilities in the future.
[Source: Federal Trade Commission]
Resources:
- CISA’s log4j web page https://www.cisa.gov/uscert/apache-log4j-vulnerability-guidance which provides guidance.
- CISA’s list on GitHub listing all vendors reporting in on if they’ve been affected or not. There are a bunch of heavy hitters on this list and are ubiquitous throughout businesses. Check this one frequently. https://github.com/cisagov/log4j-affected-db
- Techno Solvency. This resource provides a rundown of the the log4j vulnerability. It includes updates of what’s happening, technical analysis, detection methods, vulnerability scanning, and news. NOTE: It is important that you properly vet any tools before you use them. We have not verified any in this list, and while there are some reputable vendors in this list we aren’t going to recommend one over the other, so do your due diligence. https://www.techsolvency.com/story-so-far/cve-2021-44228-log4j-log4shell/
News
- https://www.zdnet.com/article/security-firm-blumira-discovers-major-new-log4j-attack-vector/
- https://thehackernews.com/2021/12/hackers-begin-exploiting-second-log4j.html
- https://www.wired.com/story/log4j-log4shell-vulnerability-ransomware-second-wave/
- https://www.homelandsecuritynewswire.com/dr20211211-whats-the-deal-with-the-log4shell-security-nightmare
- https://www.schneier.com/blog/archives/2021/12/more-log4j-news.html
- https://threatpost.com/log4shell-attacks-origin-botnet/176977/
- 12/18/2021 news updates:
- Ransomware operators beginning to ramp up activity https://www.bleepingcomputer.com/news/security/tellyouthepass-ransomware-revived-in-linux-windows-log4j-attacks/
- New log4j attack vector discovered using Javascript Websockets https://www.zdnet.com/article/security-firm-blumira-discovers-major-new-log4j-attack-vector/
- Department of Health and Human Services is urging the healthcare sector, including medical device manufacturers, to assess if their systems are impacted by log4j vulnerabilities. This includes the use of third party software or services. https://www.govinfosecurity.com/log4j-flaw-healthcare-sector-warned-to-take-action-a-18149
- 12/24/2021 news updates:
- TrendMicro is looking into log4j vulnerabilities in connected cars and charging stations https://www.trendmicro.com/en_us/research/21/l/examining-log4j-vulnerabilities-in-connected-cars.html
- 12/28/2021 news updates:
- Checkmarx discovers new RCE in Log4j 2.17.0 https://checkmarx.com/blog/cve-2021-44832-apache-log4j-2-17-0-arbitrary-code-execution-via-jdbcappender-datasource-element/
- 12/29/2021 news updates:
- APT group in China targeting academic instutions looking for intellectual property. Log4j exploits are being used https://www.zdnet.com/article/apt-group-seen-attacking-academic-institution-through-log4j-vulnerability-crowdstrike/
Updates to this article:
- 12/18/2021: Added new CVE to “Software vulnerabilities” section. CVE-2021-45105
- 12/18/2021: If you’ve already updated Log4j prior to 12/18/2021, update again. We’ve added the Apache log4j security bulletin page link in the “Software vulnerabilities” section. The Log4j download page is in the “If you’re a developer or you have installed log4j for other reasons on your systems” section.
- 12/29/2021: Added new CVE to “Software vulnerabilities” section. CVE-2021-44832
- 1/4/2022: Added legal issues section.
A final word
Unless guidance changes from Apache or CISA, or there isn’t any more urgent news, we won’t be updating this article any further. Please refer to the resources we linked to.
Secondly, for those that fall under any State or Federal law or regulation, tick tock. The lawsuits will be coming and time is running out to get your house in order. For those that fall under Connecticut’s Public Act 21-119 we urge you to contact us in the form below to see how our services can help your organization.