On December 9, 2021, the Apache Log4j project’s GitHub publicly disclosed a high severity vulnerability that impacts Apache Log4j 2 versions 2.0 to 2.14.1.   The vulnerability allows for unauthenticated remote code execution on Log4j 2, an open-source Java logging library used as a dependency by numerous enterprise applications and cloud services.

Currently, there are reports of this vulnerability being exploited in the wild; primarily resulting in the deployment of crypto mining software. However, given the nature of the vulnerability, it’s possible it could be adopted by other threat actors, and we will provide further information and guidance in a subsequent Security Advisory should new information become available.

// What you should do 

If you are running Apache Log4j, you should immediately evaluate the patch linked below:

If patching is currently not an option:

  • Block JNDI from making requests to untrusted servers by setting ‘formatMsgNoLookups’ to ‘true’. The ‘formatMsgNoLookups’ property was added in version 2.10.0, per the JIRA Issue LOG4J2-2109 [1] that proposed it. Therefore the ‘formatMsgNoLookups=true’ mitigation strategy is available in version 2.10.0 and higher, but is no longer necessary with version 2.15.0, because it then becomes the default behaviour.

// What Simplify Security’s MTR is doing 

For customers with Simplify Security MTR:

  • The MTR team is actively evaluating the available proof-of-concept to ensure appropriate detection coverage is available
  • The MTR team will continue to monitor your estates leveraging the latest intelligence surrounding this vulnerability and should we identify anything of concern, our operators will escalate accordingly.

If you are a customer without MTR, please speak to your IT service provider to further understand the potential impact this may have in your business.

// References 

GitHub POC

NIST

 

Recent blog posts

UPDATE: CVE-2021-44228 Apache Log4j 2 RCE – log4shell

UPDATE: CVE-2021-44228 Apache Log4j 2 RCE – log4shell

Since the news of this critical RCE (CVE-2021-44228) in Apache log4j was made public on Friday, Simplify Security's MTR team has been investigating activity to improve detection and response capabilities. As a quick summary, this vulnerability results from how log4j...

Introduction to the changes in New Zealand’s Privacy Act

Introduction to the changes in New Zealand’s Privacy Act

New Zealand’s privacy laws haven’t changed since 1993, but technology and the way we live our lives online has changed significantly since then. Around the world, privacy laws are being updated to cover the needs of our changing...

What is phishing and how to stop it

What is phishing and how to stop it

What’s phishing? Malicious emails that look genuine and try to trick you into providing data, spreading malware, or paying money. What are the risks? Phishing has led to massive financial losses, malware infections, and data breaches. How to stop phishing 41% IT and...