On December 9, 2021, a zero-day vulnerability (ie, previously unknown and not yet patched) concerning Java was detected by several threat-detection researchers. Named CVE-2021-44228, it exploits a weakness in the Java logging utility log4j. Log4j is used by nearly everything written in Java, from consumer software and web applications to enterprise products with names like Apple, Twitter, and Minecraft. Additional research has made it clear that this is a severe cybersecurity event that warrants immediate action. Numerous devices, applications, and cloud service providers have already been impacted. At the time of writing, the number of vulnerable environments being identified is continuing to grow.
How the vulnerability works
According to the cybersecurity organization Huntress, the CVE-2021-44228 attack vector “is extremely trivial for threat actors. A single string of (malicious) text can trigger an application to reach out to an external location if it is logged via the vulnerable instance of log4j. This acts as a springboard to another attacker-controlled endpoint, which serves Java code to be executed on the original victim. Ultimately, this grants the adversary the opportunity to run any code they would like on the target: remote code execution.”
This is also referred to as a complete system takeover.
Umbrella's response
Given the ubiquitous nature of the Java logging library and the potential for numerous entry points, CVE-2021-44228 presents a serious security challenge. Current Umbrella clients should know that we are monitoring and managing this situation to keep them safe. We are performing emergency reviews on all client systems to determine the likelihood of risk and the potential impacts. At-risk clients will be contacted with instructions if required.
We have identified third party applications that will need to be patched by the application vendors. In addition, our cybersecurity partners have provided steps for us to take to keep Umbrella-managed endpoints protected, and we have confirmed these safeguards are in place.
Non-umbrella organizations who use the log4j library should upgrade to log4j-2.15.0.rc2 immediately, but understand this is not necessarily a complete solution. They should communicate with their software vendors and work with an IT professional to ensure their vulnerability is assessed and protections are in place.
Umbrella is committed to doing everything in our power to protect our clients from cybercrime by providing guidance on how to avoid falling victim to attacks. If you become aware of any suspicious activity or fear that you may be in danger of an imminent threat, reach out to us.
Questions or concerns about your organization’s legacy systems? Contact us here.
Additional technical information for IT Professionals:
| Severity: | Risk: High, 10 of 10 |
|---|---|
| Issue Date: | 12/10/2021 |
| CVE Number/s: | CVE-2021-44228 |
| Product Name: | Apache Log4j |
| Vulnerability Name: | Apache Log4j |
| Affected Versions: | Apache Log4j between versions 2.0 and 2.14.1 |
| Overview of Vulnerability: | A vulnerability has been discovered in Apache Log4j, a very ubiquitous logging package for Java. This critical vulnerability is affecting a Java logging package log4j which is used in a significant amount of software, including Apache, Apple iCloud, Steam, Minecraft and many other cloud providers. Successful exploitation of this vulnerability could allow for arbitrary code execution within the context of the systems and services that use the Java logging library, including many services and applications written in Java. Depending on the privileges associated with these systems and services, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. If these systems and services have been configured to have fewer user rights, exploitation of this vulnerability could have less impact than if they were configured with administrative rights. |
| Systems Affected: | Apache Log4j between versions 2.0 and 2.14.1 |
| Source of Vulnerability Identification: | Chinese security researcher first posted the exploit code online. |
| Investigation Details: | While this vulnerability is related to Apache and Java this component can exist as proprietary code built-in to any vendors applications using their own code design making the discovery difficult to identify. Is recommended that companies test patches provided by their specific application vendors to ensure there is no business system impact, and promote to your production business systems ASAP. |
| Remediation Details: | General recommend actions: · Apply the latest patches (version 2.15.0) provided by Apache after appropriate testing. · Run all systems and services as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack. · Apply the Principle of Least Privilege to all systems and services. NOTE: Above recommended patch assumes use of a standard Apache implementation vs a hybrid or proprietary implementation. Actual patch or mitigation may vary by application vendor. |