How to identify your Log4j exposure
A critical vulnerability (CVSS score of 10 out of 10) is actively being exploited in the wild to execute ransomware or cryptocurrency miners across a large number of Java-based applications and products.
Applications or products that use Java quite often use the Log4j library to create log entries. The vulnerability exists in any HTTP header or parameter that is logged via the Log4j library, which allows a remote attacker to perform Remote Code Execution on the underlying server. This is achieved by forcing the server to download a remotely hosted Java Class that it then executes.
The vulnerability identifier for this vulnerability is CVE-2021-44228 and is dubbed the "Log4Shell" vulnerability.
Who is impacted?
This is impacting nearly every organization globally, with a small selection including Apple, Amazon, Microsoft Azure, Okta, Atlassian, Palo Alto Networks, Checkpoint, Cisco, Juniper, Citrix, VMware, IBM, Docker, GitHub, Twitter, Apache, CloudFlare, Linkedin, Solarwinds, Kaseya, and even Google. More vendors are being added to the extensive list daily, with over 100 vendors affected already,
which you can track here
.
- Review the list of affected vendors and immediately apply upgrades or patches to any internet-accessible systems.
- If you can’t patch, or if there is no patch, then remove the system from the internet immediately.
- You then need to identify your affected systems, which is harder than you think. Basically, you need to locate all JAR files that have a vulnerable Log4j library packaged inside.
This requires a deep search across all of your Windows, Linux and Mac systems to locate all affected JAR files, as well as across any appliances and devices on your network.
Once located, you need to disable lookups via the configuration option below:
Dlog4j2.formatMsgNoLookups=true
How can Threat Intelligence help?
Since this vulnerability is hidden within so many different applications and products, Threat Intelligence has updated a series of Evolve products to assist you with identifying this exposure and proactively prevent your organization from suffering a security breach.
EvolvePT VS Log4j
Log4j External Exposure Penetration Test (Unauthenticated)
Evolve Automated Penetration Testing (EvolvePT)
performs a targeted assessment of your internet-accessible applications, products and services to identify if they are exploitable via the Log4j vulnerability from the perspective of an unauthenticated internet-based attacker. To provide a thorough analysis, each of the web-based services that are identified, both manual and automated attacks can be performed against each service. This allows you to proactively and quickly identify vulnerable applications and products to prevent a security breach.
Log4j Authenticated External Application Penetration Test
Evolve Automated Penetration Testing (EvolvePT)
performs a targeted assessment of the authenticated areas of your internet-accessible applications to determine if they are exploitable via the Log4j vulnerability from the perspective of authenticated or registered user accounts. This allows you to proactively identify vulnerable applications and products within your authenticated application layer to gain deeper coverage.
Log4j Internal Infrastructure Penetration Test (Unauthenticated)
This custom-designed penetration test will perform a targeted assessment of your internal applications, products and services using our
Evolve Automated Penetration Testing (EvolvePT)
to identify if they are exploitable via the Log4j vulnerability from the perspective of an unauthenticated internal attacker. To provide a fast and cost-effective service, each of the web-based services that are identified, automated crawling and attacks will be performed against each service. This allows you to proactively identify vulnerable applications and products, including network devices and appliances, in a streamlined way to gain a deeper insight into your internal systems that may be vulnerable.
Log4j Authenticated Wireless Penetration Test
Various wireless portals and devices use Java in their web interfaces, which may contain the Log4j vulnerability. This is especially risky on guest wireless networks and captive portals.
EvolvePT
will authenticate to the wireless networks and test the wireless devices to determine if they contain the Log4j vulnerability. This helps to prevent wireless-based attackers from compromising the wireless infrastructure to gain unauthorized access to internal networks.
EvolveIR VS Log4j
Log4j Authenticated Internal Exposure Assessment
Evolve Automated Incident Response (EvolveIR)
feature to provide a deep insight into your company-wide exposure to the Log4j vulnerability. The first phase leverages the Evolve Security Automation capabilities to perform an authenticated search of every server to locate Log4j instances, including searching and unpacking JAR files to identify instances that use Log4j, as well as gathering context around the exploitability of each instance of Log4j. This information is then fed into the second phase where each instance of Log4j is then reviewed to determine if it is vulnerable so the risk can be remediated.
EvolveMDR VS Log4j
Log4j Security Breach Investigation
If you suspect that you may have suffered a security breach via the Log4j vulnerability, or if you wish to have Threat Hunting performed to identify if you have been breached, then with our
EvolveMDR
, managed detection and response services, we can lead a security breach investigation to ensure your business remains safe.
How to get assistance?
Request a demo
and talk to one of our Experts to keep your business safe.
