Dec 15, 2021
Along with the rest of the cybersecurity community, we have been continuously monitoring for any evidence of Log4Shell exploit attempts in our digital environment. So far, we have found no evidence that TOPIA or any of our systems have been affected by CVE-2021-44228 or CVE-2021-45046. It is also our current understanding that we are not vulnerable to either CVEs according to data gathered from extensive testing.
We will continue to monitor all of our systems and keep abreast of any new developments in the wild.
In brief, Log4Shell is the name given to a zero-day vulnerability in Apache’s Log4j, a ubiquitous and open source (check out the inherent risks of open-source software here) logging library that is embedded in virtually every Java based product or web service. It’s found in everything from web cams to Twitter to Apple iCloud. You’d be hard-pressed to find an application or piece of hardware that doesn’t use Log4j.
Log4Shell is pretty much any IT or cybersecurity professional’s worst nightmare. It’s difficult and time consuming to mitigate, it’s everywhere, and the potential damages are catastrophic: from data loss to the attacker gaining full server control. To make matters worse, these consequences are triggered by remote code execution (RCE) enabled by logging a string that enables a malicious actor to inject arbitrary code anywhere they see fit. All of these attributes have earned the Log4Shell vulnerability a CVSS score of 10, the most critical possible rating.
Check out this Naked Security article by Paul Ducklin for an in-depth examination of Log4Shell.
The short answer: nobody knows. While the vulnerability was disclosed to the public on December 9th, there’s evidence that it has been actively exploited by botnets since at least December 1st according to Cloudflare CEO Matthew Prince.
To put the current and potential impact into perspective, Check Point Software has published alarming numbers and deemed Log4Shell a “cyber pandemic.” Just seventy-two hours after the official disclosure, there were over 800,000 detected attacks and 60 variations on the original exploit according to Check Point. It’s been estimated that over half of all national corporations have been affected in one way or another, and it’s unlikely that the full extent of the damages will be known any time soon. And given the slowly turning wheel that is vulnerability mitigation, it seems likely that this vulnerability is going to stick around. Anyone remember Equifax and Apache Struts?
A number of different methods have sprung up in the last few days. Some of which promise permanent mitigation and others that act only as stopgap measures. A number of different techniques can be found on the LunaSec blog post concerning Log4Shell. Apache has also released two new versions of Log4j that disable access to the Java Naming and Directory Interface and require non-local hosts to be explicitly allowed.
If you are a TOPIA user, you have the power to remotely and efficiently patch to the newest version of Log4j or run mitigation scripts on all assets that are under the TOPIA umbrella.
What is Patch Management?Kent Weigle December 09, 2021
A Step in the Right Direction – Binding Operation Directive 22-01Kent Weigle December 31, 2021
What is Configuration Management?Kent Weigle December 09, 2021
What is Automated Patching?Kent Weigle December 09, 2021
What is Risk-Based Vulnerability Management?Kent Weigle December 09, 2021