Blog
What To Do: Apache’s Log4j Vulnerability
Apache’s Log4j is a powerful open-source logging library used by millions of developers worldwide. However, Apache recently discovered an extremely dangerous vulnerability that could leave your applications and servers vulnerable to attack! In this blog post, we will explain what the Log4j vulnerability is, and how you can protect your organization from being exploited. We will also provide instructions on how to upgrade your Log4j installation. So don’t wait – read on to learn more!
Apache’s Log4j, now named Log4Shell (CVE-2021-444228), allows remote code execution (RCE) on servers/computers that gives a hacker the ability to import malware, which could compromise machines. Apache’s Log4J is a logging tool used in many Java based applications that affects a broad range of services and applications.
TSI’S RECOMMENDATIONS
#1 – Identify the Existence of Log4j Library in Your Environment
Review software leveraged in your environment and identify applications that are impacted by this vulnerability. A preliminary list of impacted software is available here.
NOTE: This is list is not comprehensive.
#2 – Confirm your Application Vendors Apply the Latest Security Patch, if Necessary
Apache has addressed the vulnerability in Log4j 2.15.0. Because the security patch is not automatically applied, it is best to contact software vendors leveraging the Log4j 2 package and confirm they applied the security patch as soon as possible.
#3 – Implement Available Workarounds
If upgrading to Log4j 2.15.0 is not immediately feasible, Apache recommends implementing the following workarounds to mitigate this vulnerability:
- In releases >=2.10, this behavior can be mitigated by setting either the system property log4j2.formatMsgNoLookups or the environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS to true.
- For releases from 2.0-beta9 to 2.10.0, the mitigation is to remove the JndiLookup class from the classpath: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class, will cause the JndiContextSelector to no longer function.
- Versions of Log4j since 2.7: specify %m{nolookups} in the PatternLayout configuration to prevent lookups in log event messages.
#4 – Prevent Impacted Devices from Initiating Outbound Connections
Any vulnerable infrastructure identified with CVE-2021-44228 should have its ability disabled to communicate externally until a security patch has been applied or mitigations have been implemented.
For a complete overview of this vulnerability, please refer to the link below:
Microsoft Security Response Center: Apache Log4j (CVE-2021-44228)
Get in Touch with TSI
To find out more information about how Apache’s Log4j Vulnerability may impact your organization or to get answers to any other important questions you may have, please give us a call at 508-543-6979 or send us a message here to get started.
Categories
- Backup & Disaster Recovery
- Business Operations
- Case Studies
- Cloud Services
- Cyber Security
- Employee Spotlight
- Finance & Budgeting
- Glossary Term
- Governance & IT Compliance
- Managed Services
- Mobile Device Management
- Network Infrastructure
- NIST 800-171 & CMMC 2.0
- PCI
- Podcast
- Project Management
- TSI
- Uncategorized
- vCIO
Cyber Security Policy Starter Kit:
10 Critical Policies That Every Company Should Have in Place