On December 10th, warnings of the zero-day vulnerability found in the Java logging library, Apache Log4j 2.x, began to emerge. Today, we know that it is currently being exploited by attackers to exfiltrate data or execute arbitrary code.
Log4j is very broadly used in a variety of consumer and enterprise services, websites, and applications for logging security and performance information. An unauthenticated remote actor could exploit this vulnerability to take control of an affected system.
What is the scale of the Log4j exploit?
According to TechSpot, over 840,000 cyberattacks were recorded using the exploit within 72 hours of the initial discovery. Breaches grew exponentially over the first few days; as much as 400,000 in the first 36 hours. Cybersecurity & Infrastructure Security Agency (CISA) Director, Jenn Easterly, stated that the vulnerability will be widespread, and CISA stated that hundreds of millions of devices are likely affected and could be exploited by a broad range of threat actors. In our blog Launch extended detection and response steps to manage Log4j vulnerability, we advise customers to employ a breach mentality.
Log4j vulnerability timeline
The Log4j story is continuously evolving and organizations need to stay aware of the latest developments. Here are some key events:
- December 10, 2021: Apache released Log4j 2.15.0 for Java 8 to address a remote code execution (RCE) vulnerability – CVE-2021-44228.
- December 13, 2021: Apache released Log4j 2.12.2 for Java 7 and Log4j 2.16.0 for Java 8 to address an RCE vulnerability – CVE-2021-45046.
- December 15, 2021: Log4j 1.x is vulnerable to an attack, although at lower risk, when logging is configured with JMSAppender are impacted – CVE-2021-4104. Recommendation is to upgrade to Log4j 2.x.
- December 17, 2021: Apache released Log4j 2.17.0 for Java 8 users to address a denial-of-service (DOS) vulnerability – CVE-2021-45105.
- December 28, 2021: Apache releases version 2.17.1 to address CVE-2021-44832.
- Update – January 18, 2022: Three new high to critical advisories issued for Log4j 1.x (CVE-2022-23302, CVE-2022-23305 and CVE-2022-23307). Log4j 1.x is no longer maintained and recommendation is to upgrade to version 2.17.1 (for Java 8 and later), to version 2.12.4 (for ava 7), or to version 2.3.2 (for Java 6).
Software developers should review the Apache Log4j Security Vulnerabilities page for additional mitigation and fixes. IT Professionals can also consult CISA guidance on Apache Log4j vulnerability and a software vendor inventory with status information.
OpenText™ can help with your Log4j response process
Our Security Services provide advice, guidance and assistance to organizations, from small and medium sized businesses to large enterprise organizations, including public sector and government. Our services include Risk & Compliance Consulting, Digital Forensic and Incident Response (DFIR), and Managed Services. To help organizations with their Log4j response, OpenText recommends a process following a standard incident response (IR) methodology, and suggests organizations carry out critical activities such as vulnerability scanning, penetration testing and threat hunting. To learn about additional services, please see the OpenText Security Services catalog.
Log4j Vulnerability Scanning and Penetration Testing
Our penetration testing identifies exposure that arises from zero-day vulnerabilities, miss-configurations and improper patch management processes. OpenText consultants will use Open Web Application Security Project (OWASP) and other frameworks to identify high-risk areas and determine the impact, should they be penetrated.
Log4j Threat Hunting
The OpenText Threat Hunting service uses advanced threat intelligence and cybersecurity expertise to quickly identify and assess threats within an environment. Undetected threat actors, dwelling in your environments for months or years, are identified through their suspicious behavior. The service will uncover these anomalies, such as non-human patterns, spikes of activity outside normal business hours and other red flags that may indicate an attack, insider theft, or intentional destruction or exfiltration of data.
Log4j Breach Response / Incident Response
OpenText Security Services uses the best in breed technologies with custom workflows leveraging machine learning and MITRE ATT&CK frameworks. Breach response is carried out in real-time reducing the time to remediate exponentially. Our breach response team can begin within a matter of hours and come equipped with the tools, know-how, and extensive DFIR experience.
Managed Detection and Response
OpenText will detect a threat in minutes not days. Managed Detection and Response Services provides complete visibility of a customer’s environment (network, endpoints, e-mail, mobile and cloud) and allows us to provide a rapid response to isolate and remediate any threats within minutes of detection.
Call on OpenText to support your Log4j response
To discuss further how OpenText can help with your Log4j response process and support your efforts with our security services, request a call with our Security Experts today.
OpenText will continue to share information on the Log4j vulnerability in its Threat Alerts blogs.