Log4j Vulnerability Summary
WHAT IS Log4j?
Log4J is a widely used Java library for logging error messages in applications. It is used in enterprise software applications, both custom and packaged, and forms part of many cloud computing platforms and services.
Referred to as “Log4Shell"
The Log4j 2 library is used in enterprise Java software and according to the UK's NCSC is included in Apache frameworks such as Apache Struts2, Apache Solr, Apache Druid, Apache Flink, and Apache Swift.
NIST Reference for this CVE can be found here.
WHAT IS AT RISK?
Any devices exposed to the internet are at risk if it’s running Apache Log4J, versions 2.0 to 2.14.1.
Log4j version 2 (Log4j2), the affected version, is included in Apache Struts2, Solr, Druid, Flink, and Swift frameworks.
Further; Mirai, a botnet that targets all manner of internet-connected (IoT) devices, has adopted an exploit for the flaw.
HOW DO WE BLOCK THIS THREAT?
Interestingly engough Azure App Gateway with WAF enabled is capable of blocking much of the threat. The challenge with this vulnerability is that it is quite difficult to block and intercept. Resolution is still best acheieved through patching or removal of the impacted libraries, discussed later in this summary article.
Combine upgrade to log4j v2.15.0 min with patching, and adding Azure Application Gateway WAF and Azure Firewall Rules to mitigate the threat is the best way to increase safety in this case.
In Azure Active Directory:
If you are using Azure AD Identity Protection, enable blocking on risky logins (recommended blocking on medium or higher). This will prevent access via ToR exit nodes and anonymizing VPNs.
PATCHES AVAILABLE?
Microsoft, Cisco, and VMware have released patches for their affected products; as well as instructions on how to proceed with hunting using Azure Sentinel for example.
IBM Websphere 8.5 & 9.0, Oracle products have also had patches issued already.
New patches are being released each day since the public disclosure, check with any product vendors with impacted products for information around mitigation and remediation of your impacted systems.
HOW TO MITIGATE THE THREAT
Apache advisory guidance: How to Mitigate CVE-2021-44228
The best way to mitigate this threat is to upgrade to minimum version 2.15.0 where this vulnerability is resolved.
To mitigate the following options are available (Advisory from Apache here):
- Upgrade to log4j v2.15.0
- If you are using log4j v2.10 or above, and cannot upgrade, then set the property > log4j2.formatMsgNoLookups=true
- Remove the JNDILOOKUP class from the CLASSPATH. For example, you can run a command like: [zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class] to remove the class from the log4j-core.
Further, use Azure Application Gateway WAF to support protecting against this and other threats. Learn more about building custom rules: https://docs.microsoft.com/en-us/azure/web-application-firewall/ag/custom-waf-rules-overview.
Sources and Resources
https://nvd.nist.gov/vuln/detail/CVE-2021-45046
https://logging.apache.org/log4j/2.x/security.html
https://arstechnica.com/information-technology/2021/12/hackers-launch-over-840000-attacks-through-log4j-flaw/?comments=1
https://www.wired.com/story/log4j-log4shell/
https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2/
https://techcommunity.microsoft.com/t5/security-compliance-and-identity/new-blog-post-microsoft-s-response-to-cve-2021-44228-apache/m-p/3037435
https://www.techrepublic.com/article/how-to-test-if-your-linux-server-is-vulnerable-to-log4j/
https://github.com/rubo77/log4j_checker_beta
https://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation/
https://docs.microsoft.com/en-us/answers/questions/660141/apache-log4j-2-vulnerability.html
https://docs.microsoft.com/en-us/azure/web-application-firewall/ag/custom-waf-rules-overview