RocketCyber Log4j Vulnerability Advisory

*This KB article is an update to the messages that have been posted over the past several inside the RocketCyber portal in the "Notifications" alert bar.  We are adding this KB for wider visibility (outside of the product notifications) and continue to update the in-product notification and this article.

**Update December 19, 2021**

A DoS vulnerability has been found in the "fixed" Log4j versions (CVE-2021-45105) and Apache has released new Log4j versions - 2.17.0.  This means even if you updated to Log4j 2.16.0 you are vulnerable to this DoS attack.  Users should immediately update to the new release (2.17.0) or review the mitigation recommendations at the Apache site: https://logging.apache.org/log4j/2.x/security.html 

RocketCyber has updated our Log4j Detection App to consider Log4j 2.16.0 vulnerable and will trigger a security incident if the vulnerable versions are found on devices.

**Update December 14, 2021**

Unfortunately, it has been found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations.

A new CVE has been issued (CVE-2021-45046) and Apache has issued a new fix - Log4j version – 2.16.0. This means, if you upgraded to 2.15.0 or applied mitigation recommendations, you may still be vulnerable. Users should immediately update to the new release (2.16.0) or review the mitigation recommendations at the Apache site: https://logging.apache.org/log4j/2.x/security.html.

RocketCyber has updated our Log4j Detection App to now consider log4j 2.15.0 (along with versions 2.0-beta9 to 2.14.1) vulnerable and will trigger a security incident if the vulnerable versions are found on devices.

 

**Original Advisory Below**

Overview & Impact

Recently, a critical vulnerability in the Apache Log4j Java-based logging utility was announced (see: CVE-2021-44228) and affects Log4j versions 2.0-beta9 to 2.14.1.  Customers are urged to update to version 2.15.0 or apply configuration changes that are recommended by Apache in the following link: https://logging.apache.org/log4j/2.x/security.html 

This vulnerability is particularly critical because Log4j is widely used in open source and commercial software and remote exploitation of the vulnerability against any internet-facing server is trivial using a single HTTP post.  Exploitation results in full system compromise.  The vulnerability has a CVSS Score of 10 out of a possible 10 meaning it is as bad as it gets.

RocketCyber Detection

RocketCyber has seen repeated attempts to exploit this vulnerability in the wild.  Our Advanced Breach Detection and Cyber Terrorist Network Connections Apps provide detection of shell scripts and other techniques which may be used in an attack and our SOC team has been monitoring customer devices closely to detect compromises.

New Log4j App

RocketCyber released a new App that has additional capabilities specific to Log4j to detect the presence of vulnerable versions of Log4j and automated threat hunting for indicators of compromise based on log records.

Given this is a fluid threat, you may see false positives due to the complexity of detecting the Log4j library and its use.  Detection of a log file does not mean that you have been exploited (as we are seeing widespread scanning and attempts to exploit across the internet and such attempts may show up various logs without being successful).  Any detections are being triaged by our SOC team, combined with multiple sources (logs, detection of log4j libraries and advanced breach detection) and will be escalated to a security incident if action is required to reduce false positives.

Customers need to enable this app if they wish to add these enhanced scans by taking following steps:

1. In the left hand navigation select "App Store" as shown below:

app_store.jpg

2. Look through the Apps and find Log4J Detector and flip the switch to ON

mceclip1.png

 

Once you have enabled the App will automatically start working and no action is required by administrators.

Attack Details

As stated in the above section, the attack is trivial to exploit if a vulnerable version of log4j is being used by the application.  The image below was created by the Swiss Government Computer Emergency Response Team and is perhaps the easiest to understand visual representation of the attack (credit: GovCERT.ch).  The best defense is to upgrade log4j to 2.15.0 or apply the log4j configuration changes to mitigate the attack as outline in the Apache Security Notice at: https://logging.apache.org/log4j/2.x/security.html 

 

The log4j JNDI attack

 

 

 

 

 

 

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Contact us