CVE-2021-44228 – Log4j
12.16.21
Update and Resources
This communication provides relevant updates and resources that clients should be aware of regarding the Log4j security flaw.
Binary Defense MDR is NOT IMPACTED by this vulnerability.
Binary Defense and our sister company TrustedSec have collaborated to provide guidance about Log4j in the blogs and webcast linked below. For convenience, we have also included Log4j direction from our SIEM partners.
As an extension to your security team, we expect to confidently get through this recent vulnerability together. If you need any additional assistance, please contact our Customer Success team.
Jen Campbell
Customer Success Manager
[email protected]
Binary Defense and TrustedSec Resources:
- Binary Defense Blog: https://www.binarydefense.com/advice-for-defenders-responding-to-the-log4j-vulnerability-cve-2021-44228
- TrustedSec Blog: https://www.trustedsec.com/blog/log4j-playbook/
- BD / TS Webcast: You can find the recording of this session here: https://www.youtube.com/watch?v=FovrlNawq5k
- BD / TS Webcast Slides: The slides from the presentation are also available here: https://www.trustedsec.com/wp-content/uploads/2021/12/121421-Log4j-Webcast-Final-Slides.pdf
SIEM Partner Resources:
- AT&T USM Anywhere: https://success.alienvault.com/s/article/are-USM-Anywhere-or-USM-Central-vulnerable-to-CVE-2021-44228
- LogRhythm: https://logrhythm.com/blog/cve-2021-44228-log4shell-detection/?utm_source=logrhythm-website&utm_campaign=topnav-promoter
- Securonix: https://www.securonix.com/resources/log4jlog4shell-zero-day-vulnerability/
- Microsoft Sentinel: https://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation/
- Splunk: https://www.splunk.com/en_us/blog/bulletins/splunk-security-advisory-for-apache-log4j-cve-2021-44228.html
High Severity Zero-Day Vulnerability
CVE-2021-44228 Affects Apache Log4j
12.10.21
A new zero-day vulnerability that was recently found to be affecting the popular Java logging library Apache Log4j is already being exploited in the wild, with a POC released publicly on GitHub. This vulnerability allows for unauthenticated remote code execution that could allow for full control of servers. Not only are versions 2.0 through 2.14.1 of Log4j at risk, but some Java programs are likely to be affected as well. Researchers from LunaSec wrote a blog post stating “Given how ubiquitous this library is, the impact of the exploit (full server control), and how easy it is to exploit, the impact of this vulnerability is quite severe. We’re calling it “Log4Shell” for short.”
Analyst Notes:
Researchers have advised that organizations using the affected versions of Apache Log4j investigate for possible compromise. It is also advised to upgrade to log4j-2.15.0-rc1 as soon as possible. If immediate patching is not possible, researchers have developed a temporary mitigation that can be applied:
The following parameter should be set to true when starting the Java Virtual Machine:
log4j2.formatMsgNoLookups
By adding:
“Dlog4j2.formatMsgNoLookups=True”
Analysis for this vulnerability is ongoing as more information is discovered.
For Binary Defense MDR and SIEM customers, we are actively monitoring the situation and the SOC is operating at a higher level of vigilance while looking for post exploitation scenarios related to this exposure.
Sources: