What is the Log4j Vulnerability?
On December 9, a severe remote code vulnerability was revealed in Apache’s Log4j, a prevalent logging system used by developers of web and server applications based on Java and other programming languages. The vulnerability affects many services and applications on servers, making it extremely dangerous.
The vulnerability, nicknamed Log4Shell or LogJam, forces Java-based applications and servers to log a specific string in their systems. Once the string is processed, the targeted system can be forced to download and run a malicious script that enables the system to be taken over remotely by attackers.
Security firms have observed multiple hosts scanning for servers utilizing Apache Log4j.
Log4j is utilized in most Java-based applications and servers, including almost all Apache enterprise products, including Apache Struts, Apache Flink, Apache Druid, Apache Flume, Apache Solr, Apache Flink, Apache Kafka, Apache Dubbo, and possibly many more.
The Log4j 2 library is very frequently used in enterprise Java software. Due to this deployment methodology, the impact is difficult to quantify. Like other high-profile vulnerabilities such as Heartbleed and Shellshock, we believe there will be an increasing number of vulnerable products discovered in the weeks to come. Due to the ease of exploitation and the breadth of applicability, we suspect ransomware actors to begin leveraging this vulnerability immediately.
Who is Affected?
Afinety has identified a list of affected companies via GitHub. The list is a community-driven effort and will be updated as more companies are identified. It currently includes the following companies and products:
- Apache Druid
- Apache Solr
- Apache Struts2
- ghidra server
- IBM Qradar SIEM
- PaloAlto Panorama
Actions taken by Afinety
On Friday, upon learning of this vulnerability, Afinety began conducting an initial assessment of any potential risk to all our systems, including those used to provide services to our clients.
The completed evaluation has shown no exposure to our internet-facing systems. We continue to evaluate and monitor our 3rd party software vendors for potential exposure to this vulnerability. So far, our 3rd party vendors have limited exposure to this vulnerability, and where relevant, we have followed the guidance provided by them to protect these systems.
Afinety recommends immediate updates to impacted servers with Apache Log4j to version 2.15.0 released by Apache on December 10, 2021. Afinety also recommends reviewing logs for impacted applications for any suspicious activity. If unusual activity is found, Afinety recommends treating it as an active incident and responding accordingly.
While Afinety is monitoring your environment, if you find a compromised system that is not managed by Afinety, we can help you investigate and monitor for signs of lateral movement and persistence. We will continue to monitor this dynamic situation and will provide updates as necessary.