Relative to other cyber incidents in the last few months, Log4j is proving severely problematic. If you are in the middle of your impact and mitigation assessment, hands down the most important resource available is the webpage CISA launched yesterday to address the current activity: Apache Log4j Vulnerability Guidance | CISA.
OODA CEO Matt Devost wants the OODA Loop membership to know that “this is a great page and we should highlight that it exists for OODA Loop members. CISA has done a great job here.” Log4j is also the first US-CERT notification to put front and center private sector collaboration through the newly formed DHS CISA Joint Cyber Defense Collaborative (JCDC):
“CISA and its partners, through the Joint Cyber Defense Collaborative, are tracking and responding to active, widespread exploitation of a critical remote code execution vulnerability (CVE-2021-44228) affecting Apache Log4j software library versions 2.0-beta9 to 2.14.1. Log4j is very broadly used in a variety of consumer and enterprise services, websites, and applications—as well as in operational technology products—to log security and performance information. An unauthenticated remote actor could exploit this vulnerability to take control of an affected system.”
The timing of the Log4j incident is proving a test of the public/private collaboration efforts which are now at the center of CISA Culture. It also dovetails with a recent call to action from CISA’s Jen Easterly and Def Con’s Jeff Moss at the Inaugural CISA Cybersecurity Advisory Committee meeting.
Good luck to everyone who is dealing with impacts from Log4j. We are interested in any member feedback – post-incident of course – on how this experience was unique (scale of the breach, CISA’s role, the effectiveness of the CISA JCDC approach during the crisis, etc.).
In the meantime, here are the resources CISA and the JCDC have provided to get your organization on the other side of the Apache Log4j Vulnerability CVE-2021-44228:
CISA Creates Webpage for Apache Log4j Vulnerability CVE-2021-44228 | CISA
Apache Log4j Vulnerability Guidance | CISA
Also, this just came in from The Record: CISA tells federal agencies to patch Log4Shell before Christmas – with this interesting update (amongst other USG specific updates):
“Security researcher Royce Williams has already compiled a list of what is and what is not vulnerable to Log4Shell, a list available here and containing information on more than 300 vendors. Another one is the list managed by the Dutch National Cyber Security Center.”
Actions for Organizations Running Products with Log4j
CISA recommends affected entities:
- Review Apache’s Log4j Security Vulnerabilities page for additional information.
- Apply available patches immediately. See CISA’s upcoming GitHub repository for known affected products and patch information.
- Prioritize patching, starting with mission-critical systems, internet-facing systems, and networked servers. Then prioritize patching other affected information technology and operational technology assets.
- Until patches are applied, set
log4j2.formatMsgNoLookups
to true by adding-Dlog4j2.formatMsgNoLookups=True
to the Java Virtual Machine command for starting your application. Note: this may impact the behavior of a system’s logging if it relies on Lookups for message formatting. Additionally, this mitigation will only work for versions 2.10 and above. - As stated above, BOD 22-01 directs federal civilian agencies to mitigate CVE-2021-44228 by December 24, 2021, as part of the Known Exploited Vulnerabilities Catalog.
- Conduct a security review to determine if there is a security concern or compromise. The log files for any services using affected Log4j versions will contain user-controlled strings.
- Consider reporting compromises immediately to CISA and the FBI.
Ongoing List of Impacted Products and Devices
CISA will maintain a community-sourced GitHub repository that provides a list of publicly available information and vendor-supplied advisories regarding the Log4j vulnerability.
Ongoing Sources for Detection Rules
CISA will update sources for detection rules as we obtain them.
For detection rules, see Florian Roth’s GitHub page, log4j RCE Exploitation Detection. Note: due to the urgency to share this information, CISA has not yet validated this content.
For a list of hashes to help determine if a Java application is running a vulnerable version of Log4j, see Rob Fuller’s GitHub page, CVE-2021-44228-Log4Shell-Hashes. Note: due to the urgency to share this information, CISA has not yet validated this content.
Mitigation Guidance from JCDC Partners
- Microsoft blog: Guidance for Preventing, Detecting, and Hunting for CVE-2021-44228 Log4j 2 Exploitation
- Cisco Talos Intelligence Group – Comprehensive Threat Intelligence: Threat Advisory: Critical Apache Log4j vulnerability being exploited in the wild
- Palo Alto Networks blog: Apache log4j Vulnerability CVE-2021-4428: Analysis and Mitigations
- CrowdStrike blog: Log4j2 Vulnerability Analysis and Mitigation Recommendations
- IBM Security Intelligence blog: How Log4j Vulnerability Could Impact You
- Tenable blog: CVE-2021-44228: Proof-of-Concept for Critical Apache Log4j Remote Code Execution Vulnerability Available (Log4Shell)
- Broadcom’s Symantec Enterprise blog: Apache Log4j Zero-Day Being Exploited in the Wild content
- Splunk’s blog: Log4Shell – Detecting Log4j Vulnerability (CVE-2021-44228) Continued
- VMware Blog: Log4j Vulnerability Security Advisory: What You Need to Know
- Investigating CVE-2021-44228 Log4Shell Vulnerability: VMWare Threat Research
General Cybersecurity Resources
- Joint Cybersecurity Advisory – Technical Approaches to Uncovering and Remediating Malicious Activity provides general incident response guidance.
- NIST Special Publication 800-40 Revision 3, Guide to Enterprise Patch Management Technologies offers more information on the basics of enterprise patch management technologies.
- CISA’s Cyber Essentials serve as a guide for leaders of small businesses as well as leaders of small and local government agencies to develop an actionable understanding of where to start implementing organizational cybersecurity practices.
- CISA offers a range of no-cost cyber hygiene services—including vulnerability scanning and ransomware readiness assessments—to help critical infrastructure organizations assess, identify, and reduce their exposure to cyber threats.
- New Zealand Computer Emergency Response Team’s Advisory: Log4j RCE 0-Day Actively Exploited
Related Reading:
Cybersecurity Sensemaking: Strategic intelligence to inform your decisionmaking
The OODA leadership and analysts have decades of experience in understanding and mitigating cybersecurity threats and apply this real-world practitioner knowledge in our research and reporting. This page on the site is a repository of the best of our actionable research as well as a news stream of our daily reporting on cybersecurity threats and mitigation measures. See: Cybersecurity Sensemaking