On December 9, 2021 a critical vulnerability (CVE-2021-44228) was reported within the Apache Log4j Java logging framework. The vulnerability allows threat actors to remotely execute code on both on-premises and cloud-based application servers, thereby obtaining control of the impacted servers. This is a critical vulnerability of very high significance to government and industry groups. See the CISA alert and NIST alert.
Threat actors are actively exploiting and scanning for vulnerable systems worldwide. Authorities anticipate that threat actors’ efforts to exploit this vulnerability will grow exponentially over the coming weeks. Exploited systems are at risk for ransomware, data exfiltration, cryptomining, and other malicious activities perpetrated by criminal organizations and nation-state actors.
As with previously widespread vulnerabilities – such as SolarWinds and MS Exchange – companies should respond to the Log4j vulnerability in an organized and documented fashion, understanding the potential for regulatory requests to explain their response.
With a critical vulnerability as wide-spread as Log4j, for which exploitation tactics will continue to evolve, it is not sufficient to patch and scan. Knowledgeable counsel should be involved through all steps of the company’s assessments, containment, remediation, and documentation. Proper involvement of counsel can help to apply appropriate legal privileges and ensure the company is prepared for regulatory scrutiny as well as technical threats.
Recommendations
- Inventory all systems with Apache Log4j within your environments and upgrade all systems with vulnerabilities.
- Immediately upgrade all versions of Apache Log4j to 2.15.0.
- For systems that cannot immediately be upgraded, identify alternative remediation measures such as sandboxing, air gapping, or disconnecting systems from the internet. Apache has issued a mitigation guide for systems that cannot be immediately patched: https://logging.apache.org/log4j/2.x/security.html
- Preserve forensic evidence to the degree possible prior to remediating systems.
- Confirm that your security operations center is monitoring external-facing systems for indicators of compromise.
- Adjust firewalls and other endpoint tools to prevent outbound connections from systems with log4j. As open-source intelligence identifies IP addresses that are actively monitoring for the vulnerability, consider blacklisting those IP addresses.
- Ensure network logging exists to record activity related to a vulnerable Apache Log4j logging library.
- Verify with your service providers that their products and systems have patched or otherwise addressed the vulnerability.
- Review your incident response plan and add playbooks to address this vulnerability. Ensure that all response team contact information is up to date.
- If your company is involved in an acquisition, discuss the security steps taken within the target company to address the Log4j vulnerability.
