How to Mitigate Your Risk from Apache Log4j

Ongoing Advisory Updates

2021-12-17

Coretek continues to monitor the Apache Log4j vulnerability and will continue to work with our customers to mitigate the risk revolving around this exploit. Although information about this vulnerability may continue to evolve, Coretek will stay up to date with the latest information from reliable sources (linked below) as it is released. The breadth of impact the Apache Log4j vulnerability can have on exploited systems is substantial, and Coretek will continue to provide updates to Coretek customers on an ongoing basis.

Threat Summary

Since the Apache Log4j (or Log4Shell) began circulating on December 9, 2021, The breadth of impact the Apache Log4j vulnerability can have on exploited systems is substantial. Apache Log4j, also known as Log4Shell, is a Java-based logging library embedded in many software products like Amazon, Broadcom, Cisco, Cloudera, Splunk, and VMware, for example, that Coretek Customers may use daily.

This RCE vulnerability creates a conducive opportunity for a possible attack that hackers can use to exploit a remote code execution, which can run arbitrary code on a targeted machine or system. This type of attack on public-facing systems can deploy various malware, ranging from Crypto Miners to Trojan Backdoors and Ransomware payloads within the system that is running the vulnerable software.

This vulnerability is tracked as CVE-2021-44228, and is an unauthenticated RCE vulnerability allowing a complete system takeover on systems with Log4j 2.0-beta9 up to 2.14.1. Apache addressed the exploit with the release of Log4j 2.15.0; however, researchers discovered CVE-2021-45046 on December 14, 2021, in Log4j 2.15.0 that could result in a denial of service (DoS) attack in some non-default configurations. We recommend updating to Log4j version 2.16.0 to remediate both CVE-2021-44228 and CVE-2021-45046.

What Coretek is Doing for Customers

Coretek is actively running scans for this exploit for all customers with vulnerability scanning agreements in place. Additionally, Coretek is reviewing and patching the software that is managed on their behalf when feasible.

Coretek Recommendations

Monitor Software Vendor Security Patch Advisories for Log4j 

Vendors are reviewing their tools and releasing vendor-specific patches as they become available. 

Coretek strongly advises that you: 

• Monitor software vendor security advisories
• Cross-reference several sources for accuracy
• Address these vulnerabilities and any related vulnerabilities identified after this content is published for remediation 

The Cybersecurity and Infrastructure Security Agency (CISA) uses the GitHub community-sourced repository to centralize publicly available vendor advisories. Please note that this list may not be comprehensive and will continue to be updated as new information is made available. 

Conduct Vulnerability Scans & Utilize Scripting

If you are unsure if your company is running Log4j in your environment, Coretek recommends conducting privileged vulnerability scans (Credentialed or Agent) to assess the level of risk of this exploit to your environment.  Additionally, we recommend tracking some of the latest versions of scripts being released to find Log4j that vulnerability and inventory scanners may have missed.

Remove Log4j from the Vulnerable Device(s)

Verify if the software is needed by another application. If Log4j is not needed, uninstall it. It is possible that servers may be hosting software that is no longer needed. Removing unneeded software will protect the device from this and any future vulnerabilities related to Log4j.

Patch Vulnerable Software 

Coretek advises customers running older versions of Log4j in their environment (where Coretek does not manage the application) to upgrade to the current patched version, as more bugs are being discovered. Please note that Operating System (OS) or system-level patches may or may not update Log4j, so verify that the applications that use Log4j are updated to use the most current library.

Enhance Network Security

Ensure your perimeter firewalls have the latest signatures for blocking the known Indicators of Compromise (IOCs) for attacks against Log4j. Because of the amount of attack traffic, due diligence is warranted to verify that all systems are protected. Confirm that you have adequate network security by enrolling in detection and response platforms with monitoring. Most importantly, be sure your incident response plans and remediation/recovery plans are updated and ready for action in case of an issue.

Update Your Detection and Response Platform

Coretek recommends updating your detection and response platform to ensure detection of real-time Indicators of Compromise and Indicators of Attack (IOCs/IOAs) of a compromised system if something is missed during the scans.

References & Additional Resources

If you are a Coretek customer, and have questions about Coretek remediation actions or your support agreements, or are a visitor who would like more information, please get in touch here.

• Apache Log4j Security Vulnerabilities
• Arctic Wolf - Important Update on Critical Log4j Vulnerability - CVE-2021-44228
• Bleeping Computer - New zero-day exploit for Log4j Java library is an enterprise nightmare 
• Bleeping Computer - All Log4j, logback bugs we know so far and why you MUST ditch 2.15
• Broadcom - Apache Log4j Zero-Day Being Exploited in the Wild 
• CISA - Apache Log4j Vulnerability Guidance
• NIST NVD  CVE-2021-44228 Detail 
• Microsoft’s Response to CVE-2021-44228 Apache Log4j 2   
• GitHub - cisagov / log4j-affected-db
• Splunk - Log4Shell - Detecting Log4j Vulnerability (CVE-2021-44228) Continued
• VMware - VMSA-2021-0028 & Log4j: What You Need to Know