Vulnerability detected in Apache Log4j
In December 2021, the Apache Log4j information security zero day exploit ravaged headlines and operations faster than snow turns to slush. The vulnerability initially reported as a Minecraft bug compromising multiple servers has the cybersecurity community in widespread panic. This zero-day exploit targets Apache Log4j, an open-source Java logging package developers use to record and track application activities. Disclosed with an exploit code, Log4j enables simple and straightforward execution – which makes it VERY dangerous.
What makes this piece of software so alarming?
In short, this is a nightmare scenario for the organization’s IT and DevOps teams. Most devices run Java, with the majority running Logj4 as their default logging application. As a result, external users could exploit these target applications without authentication. For instance, remote attackers that supply an end application with specially crafted input processed by the Log4j2 subcomponent could cause the execution of arbitrary Java code.
In a recent interview with CNBC, Jen Easterly, director of the U.S. Cybersecurity and Infrastructure Security Agency, stated, “The log4j vulnerability is the most serious vulnerability I have seen in my decades-long career.”
Used in many popular services, Apache Log4j2 meanwhile remains vulnerable to improperly allowing lightweight directory access protocol (LDAP) access via Java naming and directory interface (JNDI) features. Cybersecurity agencies from Australia, Canada, New Zealand, the U.K., and the U.S. released a joint advisory just before Christmas in response to the widespread exploitation of multiple vulnerabilities in Apache’s Log4j software library.
But, unfortunately, hackers are taking note and already attempting to exploit it. Microsoft confirmed that hackers used this vulnerability to deliver ransomware to customers’ devices. Researchers warn that despite emerging fixes to the issue, the consequences may have worldwide impacts. Earlier this week, Cybersecurity firm Check Point reported that more than 100 hacking attempts occurred per minute.
Are you vulnerable?
The short answer – YES. The vulnerability is present in your devices and requires attention as soon as possible. We intended to provide a list of known devices and software affected; however, the list is EXTENSIVE. The list is currently on a public server, multiplying as we speak. In response, the United States Cybersecurity & Infrastructure Security Agency (CISA) provided resources to help identify and fix this problem.
Their list of known software issues is maintained on GitHub, found in the link below.
CISA List of Log4J Affected Software
What items should you scan?
Here are some items to scan for if you haven’t addressed this vulnerability:
- Java 8 (or later) users should upgrade to release 2.17.1.
- Users requiring Java 7 should upgrade to release 2.12.4
- Users still using Java 6 should upgrade to release 2.3.2
How to scan machines for Log4j
1. Log on to your machines, and search for any Log4J file names
It is important to note that this applies not just to your personal computer but to all the machines used in your building. Even specific devices use Java and the Log4J shell. This scan is not foolproof. Log4j files may hide in other files. But, it is an excellent first step.
As you can see, the log4j file is everywhere. Identifying the vulnerability is the first step to resolving it.
2. Scan these devices with tools to find every instance of Log4j
A simple search of your device’s hard drive for log4j files won’t suffice. Now it’s time to use a tool to find EVERYTHING.
Is your organization already using tools to find and resolve these issues?
If so, great! Be sure to include all the devices and software you use to operate your building.
Here is a shortlist of devices to check:
- Security Access Card Readers for Doors
- Closed Circuit Television (CCTV)
- Fire Life Safety
- Building Automation
- Leak Detection
- Waste Neutralization
- Hazardous Process Materials
- Ultra-Pure Water
- Electrical SCADA
If your organization hasn’t reviewed your software and devices yet… don’t panic.
CISA provides a scanning tool to help you identify issues. Log4j-scanner tool is open source from GitHub that provides a list of everything you need to fix. However, installing and running this tool is beyond most casual users’ capabilities. Therefore, work with someone assigned to your organization to implement this scanner to gather a list of affected devices and software.
3. Upgrade Log4J files to the latest versions (without vulnerabilities)
If you find any Logj4 files, don’t just delete them! It is crucial to upgrade to the latest version so your devices or software won’t download an old, vulnerable copy of these log shell files. The most effective way to complete this in Windows machines, such as laptops, is downloading the latest Windows Update.
In specific cases, it may also be necessary to replace log4j*.jar with the latest version (2.17 at this time).
However, this fix is neither final nor straightforward. Most Windows users will likely need to wait for the next Windows patch to resolve these issues.
In your organization, the greater risk is software or devices on your network that your IT or DevOps organization won’t review as part of their first response to the vulnerability. Businesses will prioritize fixing software and devices first. It is unlikely that the software and devices you rely on to operate your building will make the list without your advocacy.
Your most critical applications and devices are connected to your network and are accessible over the Internet. These directly impact the building’s life safety, electrical, HVAC, water, or security equipment.
4. How do I keep things safe?
Your organization may or may not be implementing firmware updates on devices for cybersecurity vulnerabilities already. Your organization should maintain an inventory of critical software and devices and know which versions are running on each of them.
So, to address these Log4j exploits, CISA recommends installing a web application firewall (WAF) with specific rules. Together with network detection rules, these will aid in detecting malware and inappropriate access. But, unfortunately, this is a new frontier for many organizations that won’t go away.
APT 4 Cybersecurity
As a critical systems integrator, APT has protected systems and enhanced reliability for utilities and demand-side customers for over 25 years. Moreover, we provide Cybersecurity services tailored for companies that rely on high availability and want to avoid negative publicity from a system failure. So don’t wait to see your organization’s names splashed in the headlines. Taking action now, while the problems are still minor (and have management’s focus ), will help resolve these problems. Contact an APT professional today.
Andrew E Taylor, PE