CVE-2021-44228 –
Status and Advisory on Log4j Vulnerability

Background

A critical remote code execution vulnerability in the popular Apache Foundation Log4j library continues to be exploited across the internet, as organizations scramble to patch for this issue. This vulnerability, tracked as CVE-2021-44228, received a CVSS severity score of a maximum 10.0. Apache Foundation Log4j is a logging library designed to replace the built-in log4j package. It is often used in popular Java projects, such as Apache Struts 2 and Apache Solr. Likewise, this library may also be used as a dependency by a variety of web applications found in enterprise environments, including Elastic. Due to the nature of this vulnerability, organizations should identify and patch affected products and implement mitigation solutions as soon as possible.

Black Box Action Steps

Black Box has taken numerous steps to mitigate the Log4j Vulnerability at various levels and is continuously monitoring the situation.

1) Black Box has updated  its end point security and DNS/Secure Internet gateway security platforms with all the listed IP's and URL's etc. as mentioned in the IOC's . This protects any internet based attacks specific to log4j coming through the internet route.

2) Black Box is ensuring all internet facing web hosts (including those involved in future projects are updated to the latest versions of java components as applicable for protection).

3) Black Box is continuously monitoring the list of publically published vendors list ( GitHub, Link given below) who are potentially impacted with Log4j vulnerability and validating with those vendors for availability of patches in cases where it may be used. Many of such vendors have already patched their s/w platforms and components.

4) Black Box has not identified any compromise so far. It is continuously and actively evaluating its logs and monitoring the situation.

Customer Advisory

Due to the severity of this vulnerability,  We strongly recommend that customers follow the key guidance points below -

1) Customers must update their security systems and platforms with the Log4j IOC's   and monitor for any intrusions.

2) Customers should identify internet-facing devices running Log4j and upgrade them to version 2.17.1, or to apply the patches provided by vendors "immediately".

3) Customer must enumerate any external facing devices with Log4j installed  and ensure the security operations center actions every alert regarding Log4j. Installing a web application firewall (WAF) with rules to focus on Log4j also helps in identifying and preventing attacks.

4) Customers must identify software harboring the Log4j vulnerability that they internally use. Once identified , they must update / upgrade relevant components or follow vendors recommendations to eradicate the log4j vulnerability.

In order to identify any software and versions that is vulnerable to log4j , please refer to the link below -
https://github.com/NCSC-NL/log4shell/tree/main/software

5) For latest updates and guidance on the situation , please follow the CISA Apache log4j Vulnerability guidance page -
Apache Log4j Vulnerability Guidance | CISA

6) Consider reporting compromises immediately to the FBI or your local Authority as applicable country wise.