How to Fix the Java Log4j Vulnerability
- Written by: Trevor Kems
IT and cybersecurity teams saw their priorities immediately reordered in December 2021 when hackers began widespread exploitation of a vulnerability discovered in Java Log4j. Since news of the vulnerability broke, teams scrambled to evaluate how the vulnerability affected their systems and to deploy the required patches. The information below summarizes the latest information on the breach.
If you need help identifying and fixing your vulnerability (or if you have experienced a breach related to Log4j), contact our incident response team immediately via our website.
What is the Vulnerability?
On December 10, 2021, news broke about a critical remote code execution (RCE) vulnerability in the Java library called Log4j, which is part of open-source code maintained by the Apache Software Foundation. It is widely used by enterprise software developers. That means a long list of big-name companies and software providers are affected, including Amazon Web Services (AWS), IBM, Oracle, Cisco, Apple, Minecraft, ConnectWise and many others.
Hackers immediately began scanning the Internet for vulnerable systems and launching hundreds of attempts per minute to exploit the vulnerability. On affected systems, hackers could gain the ability to remotely execute code and compromise or export sensitive data. You can read Apache’s advisory on the vulnerability here.
How Do I Update the Apache Log4j Library?
Any Log4j-core version from 2.0-beta9 to 2.14.1 is considered vulnerable and should be updated to 2.17.1 or later. Update your version of Apache to 2.17.1 to close the vulnerability. The log4j issue (also called CVE-2021-44228 or Log4Shell) was patched in the update.
Log4j version 2.15.0 also is available. This version does not disable JNDI functionality by default and allows messages lookups. While some software supports 2.16.0, other software may still rely on the JNDI functionality. In that case, you should use version 2.15.0. Before updating, ensure that the correct patched version is selected. For software that does not rely on JNDI functionality or messages lookups, version 2.17.1 or later should be used.
A second vulnerability (CVE-2021-44832) released on December 28, 2021, affects a patched version of Log4j, version 2.17.0. While rated a CVSS of 6.6, it should be noted that this vulnerability can allow remote code execution in systems when the Log4j configuration file is loaded from a remote location.
Due to the lower CVSS score and higher complexity requirements for exploitation, fewer users may be impacted. However, if possible, users should update to version 2.17.1 or later as version 2.17.1 patches this vulnerability.
What other Applications Are Vulnerable?
Updating your version of Apache won’t address the vulnerabilities in the numerous applications that use the Apache library. You’ll need to update each of those applications as their developers release updates. Expect numerous communications from software vendors who are updating their products in order to close the vulnerability. You can review a list of known software vulnerabilities at this site.
Many older applications that rely on the Java runtime are potentially vulnerable. This can include web frontends, servers and other frameworks that use the Log4j library to log data. Even if the main application is not Java-based, it may use Log4j for logging. Plan on applying multiple upgrades and patches to your system.
Within hours of the vulnerability’s discovery, our Security Operations Center (SOC) installed new detections/mitigations to protect the systems of our Extended Detection and Response (XDR) customers. The new rules created by our analysts detect attempted exploitation; block malicious Java processes; block executable files unless they meet specific criteria; and more. We are also actively processing and adding additional Indicators of Compromise as they are disseminated through various channels.
How Do I Check for the Vulnerability on My System?
You should run a vulnerability scan on your system. You also can test it by using a local or third-party DNS logging service. Submit a request with the following:
If the server requests a DNS lookup, it should be logged with the provider.
What Should I Do to Protect My System?
In addition to upgrading your version of Apache and installing the patches that software vendors provide, CISA also recommended these three additional steps:
- Enumerate any external facing devices that have log4j installed.
- Make sure that your SOC is actioning every single alert on the devices that fall into the category above.
- Install a web application firewall (WAF) with rules that automatically update so that your SOC is able to concentrate on fewer alerts.
What if I Can’t Update or The Application Vendor Hasn’t Updated Their Software Yet?
Software vendors have likely published patches for affected applications. Be sure to check patch or release notes to find fixed versions. Adding the JVM flag can prevent the vulnerability.
The HBS incident response team is currently helping clients analyze and remediate their exposure to Log4j. For help with your specific situation, contact the HBS incident response team immediately via our website. This situation is continuing to evolve, and we’ll update this blog as new information becomes available. You also should regularly check CISA’s Apache Log4j Vulnerability Guidance for new information.