Currently, there are reports of this vulnerability being exploited in the wild; primarily resulting in the deployment of crypto mining software. However, given the nature of the vulnerability, it’s possible it could be adopted by other threat actors, and we will provide further information and guidance in a subsequent Security Advisory should new information become available.
// What you should do
If you are running Apache Log4j, you should immediately evaluate the patch linked below:
If patching is currently not an option:
- Block JNDI from making requests to untrusted servers by setting ‘formatMsgNoLookups’ to ‘true’. The ‘formatMsgNoLookups’ property was added in version 2.10.0, per the JIRA Issue LOG4J2-2109 [1] that proposed it. Therefore the ‘formatMsgNoLookups=true’ mitigation strategy is available in version 2.10.0 and higher, but is no longer necessary with version 2.15.0, because it then becomes the default behaviour.
// What Simplify Security’s MTR is doing
For customers with Simplify Security MTR:
- The MTR team is actively evaluating the available proof-of-concept to ensure appropriate detection coverage is available
- The MTR team will continue to monitor your estates leveraging the latest intelligence surrounding this vulnerability and should we identify anything of concern, our operators will escalate accordingly.
If you are a customer without MTR, please speak to your IT service provider to further understand the potential impact this may have in your business.
// References
GitHub POC
NIST
![[Security Advisory] Active Exploitation of Unpatched VMware ESXi Servers](https://simplifysecurity.co.nz/wp-content/uploads/2023/02/MDR-1-400x250.png)
