A flurry of security research teams offered solutions and guidance over the weekend to protect systems and networks from the Apache Log4Shell zero-day remote code execution (RCE) exploit in the popular Java logging library log4j2, which one expert described as the most critical vulnerability seen all year.
Further reinforcing the significance of the vulnerability, the Cybersecurity and Infrastructure Security Agency even moved early today to put Log4Shell on its "known exploited vulnerabilities catalog."
In a blog post late last week, researchers from LunaSec, said anyone using Apache Struts was also vulnerable. The researchers said that similar vulnerabilities were exploited before in attacks like the Equifax breach in 2017.
As for potential mitigations, Cybereason researchers developed and released a “vaccine” for the vulnerability (CVE-2021-44228). The vaccine has been made freely available on GitHub. Cybereason researchers say it’s a relatively simple fix, available to any organization, which requires only basic Java skills to implement.
“The vaccine we developed changes the settings in the vulnerable server,” said Yonatan Striem-Amit, chief technology officer at Cybereason. “Our payload will get loaded by the server and the code within will change that vulnerable server to non-vulnerable, essentially patching the vulnerability. The vaccine makes a server immune to the vulnerability, allowing defenders ample time to patch at their leisure.”
Also over the weekend, Randori confirmed the exploitability of Jamf and VMware products via Log4Shell. Other enterprise products are exploitable, and the company’s researchers are working with the vendors to get out patches and remediations. Randori said its working exploits achieve code execution via unauthenticated network vectors on Jamf and multiple VMWare products, including vCenter and Horizon. Use this link to find details on how to mitigate VMware and Jamf products.
Bharat Jogi, senior manager for vulnerabilities and signatures at Qualys, added that the Apache Log4j zero-day vulnerability probably stands as the most critical vulnerability his team has seen this year. Jogi said Log4j2 is a ubiquitous library used by millions of Java applications for logging error messages. This vulnerability is trivial to exploit; attacks are already happening, and the Qualys team has seen proof of concept (PoC) exploits dropped in the public domain like Twitter and GitHub. Follow this link for a detailed analysis of Log4Shell.
“The Qualys Research team is actively working on this vulnerability, Jogi said. “We anticipate that we will see many vendors releasing security advisories for the offerings related to this vulnerability in the coming weeks. We recommend users update their applications to the latest build for Log4j2 or apply mitigations on an urgent basis.”
Here’s a list of other summaries and guidance on Log4Shell that will be updated as more emerge:
Sister brands MSSP Alert and ChanelE2E are tracking the impact on the managed service provider community, with BlackPoint Cyber, Huntress and others weighing in on the remediations required.
This is a developing story. Check back to SC Media periodically for new coverage on the vulnerability and efforts to mitigate the threat.