Last Friday, it was announced that a serious vulnerability was found in the widely used open source Apache Log4j tool. The tool, which is used to log Java applications, is part of many cloud and enterprise applications. The vulnerability was given CVE identifier CVE-2021-44228 and is also known as Log4Shell.
The vulnerability allows criminal groups to remotely execute code in software with permissions from a parent application. The parent application in this case is the application that utilizes Log4j, which makes it impossible to estimate what rights this parent application has. The Dutch NCSC has therefore classified the impact as high and the first reports of active abuse have already been seen.
The vulnerability has been confirmed in Log4j 2.0 to 2.14.1. Log4j 1.x was not investigated, as this version has been end-of-life since 2015 and is therefore no longer supported by Apache. The vulnerability is fixed when updating to version 2.15.0.
What action can you take?
If your organization uses software that runs on Java, there is a reasonable chance that it includes applications that use the Log4J tool. It is therefore important to investigate whether this is the case. The NCSC has compiled a list of vulnerable software which they continue to update; keep a close eye on this page in the coming period. If this list includes software that is used in your organization, it is important to patch it as soon as possible and to follow the advice of the NCSC. In addition, the NCSC has noted which Indicators of Compromise you can watch out for.
Read more: https://www.ncsc.nl/actueel/nieuws/2021/december/12/kwetsbare-log4j-applicaties-en-te-nemen-stappen
In addition, ESET recommends to:
- Ensure that security solutions are installed on servers
- Regularly check that these solutions are still active on all servers
- Ensure that the security solutions on the servers are running the latest version
- Limit outgoing traffic on servers where possible
ESET detection
ESET's Network Attack Protection (IDS) and Web Access Protection components detect the Log4j vulnerability; this detection can be recognized by the detection name JAVA/Exploit.CVE-2021-44228. This detection is available to users of ESET PROTECT.
Does ESET have protection against Log4j?
ESET's Network Attack Protection (IDS) and Web Access Protection components detect the Log4j vulnerability; this detection can be recognized by the detection name JAVA/Exploit.CVE-2021-44228. This detection is available to users of ESET PROTECT.
In addition, all other ESET components will also detect any "payloads".
What steps should I take with customers who use Java?
Are your customers using Java applications? If so, see which of your customers’ applications are vulnerable in the overzicht van het NCSC. This overview is continuously updated, so should be checked regularly. If it includes software that your customers use, you should patch it as soon as possible and follow the advice of the NCSC.
Do ESET solutions use Log4j in the background?
For more information about the vulnerability and ESETs solutions read: https://support.eset.com/en/alert8188-information-regarding-the-log4j2-vulnerability.