Security Update (Updated 14/12/2021 15.30)
On 10th December 2021, Apache announced a new critical vulnerability and fix for Log4j, CVE-2021-44228 dubbed ‘Log4Shell’. This vulnerability affects any organisation that utilises Log4J or has software with underlying Log4J dependencies. Apache is strongly recommending Log4j systems be updated to fixed versions as soon as possible.
CVE-2021-44228 - ‘Log4Shell’
CVSS score: 10.0
Log4shell is an Unauthenticated Remote Code Execution Vulnerability which allows threat actors complete control on systems with Log4j 2.0-beta9 up to 2.14.1. JNDI features used in configuration, log messages, and parameters do not protect against attacker-controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behaviour has been disabled by default.
The initial reports showed exploitation was dropping coin miners, but newer information suggests Ransomware Operators will look to take advantage of this vulnerability. Integrity360 will continue to monitor our customer’s estates and the wild with extra care and due diligence for threat actors looking to capitalise on these critical vulnerabilities.
Integrity360 is working closely with Apache to ensure its customers can efficiently update their Log4j systems to the latest, most secure, and best-performing versions. There are resources available about the vulnerabilities and how to update or upgrade the affected Log4J systems on the Apache Log4j Security bulletin.
Ensure pre-existing security controls such as WAFs and IPS devices are updated with the latest signatures to detect/prevent Log4Shell activity.
As always, Integrity360 Managed Security Service (MSS) customers will already be managed through our proactive security approach.
Product: Apache Log4j 2.0-beta9 up to 2.14.1