Specific to ISA Cybersecurity customers
We have completed all Log4j patching and threat mitigation strategies on our systems, and we have consulted closely with our vendor and supplier partners to ensure we are all working together to defend our customers and our internal operations.
We continue to follow the latest news on the Log4j vulnerability. Here are the latest developments as of December 19, 2021.
Apache issues a third patch
Apache has released version 2.17.0 (for Java 8 and above) for Log4j. The patch – the third since news broke of the vulnerabilities in the Java logging library – fixes potential DDoS vulnerabilities in the software that were not addressed in previous versions. With the new patch comes a new CVE number. The three patches have been coded as shown below:
+ Version 2.15 – CVE-2021-44228 (severity 10.0 – critical)
+ Version 2.16 – CVE-2021-45046 (severity 10.0 – critical)
+ Version 2.17 – CVE-2021-45105 (severity 10.0 – critical)
CISA issues emergency directive
On December 17, CISA issued an emergency directive calling for all U.S. government agencies to patch or mitigate Log4j vulnerabilities by December 23 at 5:00 p.m. ET, and to provide a comprehensive report of all actions taken by December 28 at 5:00 p.m. ET.
Full scope of Log4j problem coming into focus
Analysis of the Maven Central Java package repository suggests that over 35,000 Java packages – accounting for over 8% of the entire system – have direct or indirect exposures due to the Log4j vulnerabilities. As of December 20, fewer than 5,000 of those packages had been patched.
Centralized resources on Log4j impacts
CISA is also maintaining a comprehensive directory of systems with Log4j vulnerabilities. They have set up a Github page providing a detailed (albeit unlinked) listing of over 500 affected platforms and services. The page is under constant revision and update, so check often for the latest information. For a more curated view, Bleeping Computer has provided a centralized link page with additional commentary and insight that can help answer questions about specific hardware and software systems.
Conti ransomware gang targeting Log4j vulnerabilities in VMware
Russian-language ransomware group Conti has aggressively focused on the numerous Log4j exposures in the VMware platform. VMware has up to 40 products and versions affected by the Log4j vulnerability, and (to date) has not released patches for most of them: Conti is reportedly targeting vCenter servers, using successful penetration as a launching point for deploying ransomware across an organization’s network infrastructure. VMware has set up a central page with patch statuses and mitigation strategies for its applications – VMware users are urged to evaluate their exposure immediately, especially given the specific threats posed by Conti.
ISA Cybersecurity is here to help
The scope of potentially affected systems and the volume of rapidly changing information online can seem overwhelming. If you have further questions or require immediate assistance, please do not hesitate to contact us to discuss any concerns.