Upcoming CloudWarden Webinar: GUARD Your Cloud From Threats 24/7 with Horangi's All-New Cloud SOC
logo

EN

Products +

Services +

Customers +

Partners +

Resources +

Log4j2 Vulnerability: Horangi Is Here To Help With New And Updated Warden Rules

Automate Log4j2 Vulnerability Checks and Reduce Chances of Log4j2 Exploits with New and Updated Rules on Warden While You Apply Patches and Install Updates

UPDATE: This blog was first published on 23 December, 2021, and has been updated to include the release of Log4j version 2.17.1 to address a new vulnerability.

Update: Apache Releases Log4j Version 2.17.1 To Address New Vulnerability

Apache released Log4j 2.17.1 on 27 December 2021 to address a new vulnerability CVE-2021-44832

According to the Log4j project website, “Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack where an attacker with permission to modify the logging configuration file can construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute remote code.

CVE-2021-44832 has a base CVSS score of 6.6, and is not a critical vulnerability since attackers will first have to have admin access to your server in order to edit the logging configuration file.

If most of your Log4j instances are already at version 2.17.0, you may choose to update them to Log4j 2.17.1 later, after you have applied all recommended updates and patches. Or you can simply update all your Log4j to version 2.17.1 if there remains older versions to be updated.

Warden Now Has Rules To Make Exploitation Less Likely

We updated some existing rules and added new rules on Warden that identify vulnerable workloads and add layers of protection to help make Log4j2 exploitation less likely.

Warden, Horangi's flagship cloud security platform to protect infrastructure and permissions, now comes with these new rules:

  • ElasticSearch/OpenSearch Version Vulnerable to Apache Log4j2 Vulnerability (CVE-2021-44228): Detect vulnerable ElasticSearch/OpenSearch Domains
  • Enable Global WAF Web ACLs for Protection Against Apache Log4j2 Vulnerabilities: Enable Global WAF Web ACLs to block Log4j2 attacks
  • Enable Regional WAF Web ACLs for Protection Against Apache Log4j2 Vulnerabilities: Enable Regional WAF Web ACLs to block Log4j2 attacks

These updated rules on Warden act as defense-in-depth to break the chain of attack in the event a vulnerable Log4j2 instance exists:

  • Network ACL Inbound Traffic Not Restricted (AWS): Prevent connection from public to EC2 instances
  • Network ACL Outbound Traffic Not Restricted (AWS): Compromised EC2 instance with unrestricted outbound access may result in data exfiltration
  • ElasticSearch Domain Publicly Accessible to the Internet (AWS): Unpatched ElasticSearch domains may be compromised.
  • Elasticsearch Exposed Domains (AWS): Unpatched ElasticSearch domains may be compromised.
  • Default EC2 Security Groups in Use (AWS): Compromised EC2 instances with default EC2 security group with unrestricted outbound access may result in data exfiltration
  • Ensure the Default Security Group Restricts All Traffic (Huawei): Compromised ECS instance with unrestricted outbound access may result in data exfiltration
  • Ensure that Access is Restricted from the Internet to All Ports (GCP): Prevent connection from public to Compute instances

All new and updated rules are immediately available to users of Warden.

While the new and updated rules provide some level of protection, threat actors and Ransomware-as-a-Service (RaaS) providers are always looking for new ways to exploit the vulnerability. 

5 Ways To Stay Safe

1. Update Log4j2 and apply vendor patches

Update your Log4j2 to version 2.17.1, and also apply any patches from your vendors that address the Log4j2 vulnerability.

Unfortunately, just updating Log4j2 to version 2.17.1 is not as straightforward as it seems. You may face two major difficulties in comprehensively remediating the vulnerability:

  1. Log4j2 may be deeply embedded in applications, several layers down in some cases.
  2. Threat actors can use the unpatched vulnerabilities in your customers, partners, or suppliers’ systems to attack you. Warden’s updated rules will act as defense-in-depth to break this chain of attack in the event a vulnerable Log4j2 instance exists.

2. Source code review

Use commercial or open-source software, or even engage professional services to review your Java source code to ensure that your code does not contain any vulnerabilities.

3. Active scanning

Deploy commercial scanners or open-source tools to test endpoints. You can also engage professional services such as penetration testing or red teaming to assist in these scans.

4. Check for residual risks

Threat actors may have compromised your infrastructure in the window between the vulnerability being made known and the availability of the updated Log4j2 update and vendor patches. Conduct a compromise assessment to hunt for and eradicate residual threats.

5. Reduce chances of exploitation with Horangi Warden

Warden now includes new and updated rules in the automated scans to: 

  1. Detect vulnerable ElasticSearch/OpenSearch Domains
  2. Enforce WAF ACLs to protect against Log4j2 vulnerability exploitation while you continue patching
  3. Act as defense-in-depth to break the chain of attack in the event a vulnerable Log4j2 instance exists

Our professional services team are currently engaging our existing penetration testing customers to help check for and remediate the Log4j2 vulnerability. 

The Long-Term Solution: A Healthy Cybersecurity Posture

It will take some time to remediate the Log4j2 vulnerability and its repercussions. 

Dozens of commercial and open-source online applications and service providers such as Amazon, Microsoft, IBM and Google, use the open-source library in their offerings. 

As long as there are cybercriminals, vulnerabilities and exploits will be part of our lives. The best long-term solution remains achieving and maintaining a healthy cybersecurity posture.

However, that’s easier said than done. Hiring and retaining qualified cybersecurity professionals can both be difficult and expensive with the worldwide shortage of such personnel.

One of the best ways to overcome that is through automation — you can deploy Cloud Security Posture Management (CSPM) and Cloud Infrastructure Entitlements Management (CIEM) tools to automate compliance checks and threat detection. 

Warden is Horangi’s agentless and multi-cloud CSPM and CIEM tool that comes with built-in compliance automation recognized by Gartner, Threat Detection, Vulnerability Remediation, and DevSecOps integration to help you achieve a healthy cybersecurity posture. 

Trusted by companies such as NalaGenetics, Singlife, Veraset and Gnowbe, Warden reduces IAAS security risks by up to 80%, provides 10 times faster compliance audit and evidence, and helps reduce cybersecurity overheads by up to 70%. You can install it in about 10 minutes and immediately enable full asset discovery and management.

Automated compliance checks on Warden include both international and Asia-specific compliance standards such as Singapore's MAS-TRM and Indonesia's OJK. Coupled with one-click compliance reporting, you are audit-ready all the time. Threat detection is based on the MITRE ATTA&K Framework, and Warden offers playbook, terraform, manual and one-click remediation options to help you remediate with confidence.

Warden is supported on Amazon Web Services (AWS), Google Cloud Platform (GCP), Microsoft Azure, Alibaba Cloud, and Huawei Cloud.

If you are looking for protection against the Log4j2 vulnerability today and achieve a healthy cybersecurity posture in the future, why not contact us for a demo or sign up for a 14-day trial today?

Isaiah Chua

Isaiah Chua is a Content Marketing Specialist at Horangi who loves talking about technology, cybersecurity, and content marketing. He's an avid reader who can't get by a day without good music and gallons of coffee.

Subscribe to the Horangi Newsletter.

Be the first to hear about Horangi's upcoming webinars and events, up-and-coming cyber threats, new solutions, and the future of cybersecurity from our tech experts.