On December 9, 2021, the Apache Log4j project’s GitHub publicly disclosed a high severity vulnerability that impacts Apache Log4j 2 versions 2.0 to 2.14.1.   The vulnerability allows for unauthenticated remote code execution on Log4j 2, an open-source Java logging library used as a dependency by numerous enterprise applications and cloud services.

Currently, there are reports of this vulnerability being exploited in the wild; primarily resulting in the deployment of crypto mining software. However, given the nature of the vulnerability, it’s possible it could be adopted by other threat actors, and we will provide further information and guidance in a subsequent Security Advisory should new information become available.

// What you should do 

If you are running Apache Log4j, you should immediately evaluate the patch linked below:

If patching is currently not an option:

  • Block JNDI from making requests to untrusted servers by setting ‘formatMsgNoLookups’ to ‘true’. The ‘formatMsgNoLookups’ property was added in version 2.10.0, per the JIRA Issue LOG4J2-2109 [1] that proposed it. Therefore the ‘formatMsgNoLookups=true’ mitigation strategy is available in version 2.10.0 and higher, but is no longer necessary with version 2.15.0, because it then becomes the default behaviour.

// What Simplify Security’s MTR is doing 

For customers with Simplify Security MTR:

  • The MTR team is actively evaluating the available proof-of-concept to ensure appropriate detection coverage is available
  • The MTR team will continue to monitor your estates leveraging the latest intelligence surrounding this vulnerability and should we identify anything of concern, our operators will escalate accordingly.

If you are a customer without MTR, please speak to your IT service provider to further understand the potential impact this may have in your business.

// References 

GitHub POC

NIST

 

Recent blog posts

The Forgetting Curve – Security Training

The Forgetting Curve – Security Training

It’s something we all know instinctively, if a whole load of new information is thrown at you, your recall of it will be somewhat cloudy one week later. This is exactly what German psychologist Hermann Ebbinghaus showed back in 1885 when he developed the forgetting...

Possible Okta Breach By Threat Actor

Okta has provided additional information on the timeline of the incident affecting their services. In summary, the Okta service confirmed the breach by Lapsus$ group yesterday. As per Okta has confirmed 'The Okta service is fully operational, and there are no...

UPDATE: CVE-2021-44228 Apache Log4j 2 RCE – log4shell

UPDATE: CVE-2021-44228 Apache Log4j 2 RCE – log4shell

Since the news of this critical RCE (CVE-2021-44228) in Apache log4j was made public on Friday, Simplify Security's MTR team has been investigating activity to improve detection and response capabilities. As a quick summary, this vulnerability results from how log4j...