ITS IA Advisory: Log4j
A zero-day exploit that was originally communicated through an IA Alert on December 10, 2021 is affecting the Apache Log4j utility that could result in remote code execution. This remains an active threat.
Summary
US healthcare organizations, including those in the public health sector, are being targeted again by threat actors looking to exploit this zero day vulnerability. If you have not done so, update Log4j to version 2.17 as soon as possible to disable the vulnerable features of log4j.
Problem
Log4j is a Java-based logging library maintained by the Apache Software Foundation. According to the Cloudflare Blog, “In the affected Log4j versions, Java Naming and Directory Interface (JNDI) features used in configuration, log messages, and parameters can be exploited by an attacker to perform remote code execution. Specifically, an attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.”
Threats
Exploit code is publicly available, widespread scanning for vulnerable systems is occurring, and this vulnerability is being exploited actively in the wild.
Affected Versions
Apache Log4j 2.0-beta9 up to 2.16.0
Action Items
- Update to version 2.17.0 Apache Log4j or later after appropriate testing
- Log4J is embedded in a large number of commercial software applications. Be aware of any vendor updates for these packages and apply patches as quickly as possible.
Technical Details
For details, see Apache Log4j Security Vulnerabilities.
How We Protect U-M
- The impacted systems are identified through the Tenable vulnerability scanning agent. We encourage you to work with IA to deploy the Tenable agent to all of your systems. The Tenable agent provides significantly more efficient, accurate, and complete vulnerability scanning results than can be provided with remote network scanning. Submit a ticket to the ITS Service Center with attention to ITS-IAPROACTIVE-Security to begin deployment of the Tenable agent on your unit’s systems.
- ITS provides CrowdStrike Falcon to units, which should be installed on all U-M owned systems (Windows, macOS, and Linux operating systems, whether workstations or servers). Falcon administrators in ITS and in U-M units use the Falcon console to investigate and remediate issues.
Information for Users
In general, the best protection for your devices is this: keep your software and apps up-to-date, do not click suspicious links in email, do not open shared documents or email attachments unless you are expecting them and trust the person who sent them, and only use secure, trusted networks. For more information, see Phishing & Suspicious Email, Secure Your Devices, and Secure Your Internet Connection on the U-M Safe Computing website.
Questions, Concerns, Reports
Please contact ITS Information Assurance through the ITS Service Center.
References
- Healthcare in the Crosshairs of North Korean Cyber Operations, Dark Reading 2/13/23
- Upgraded to log4j 2.16? Surprise, there's a 2.17 fixing DoS, Bleepingcomputer, 12/18/21
- Log4Shell Update: Severity Upgraded 3.7 -> 9.0 for Second log4j Vulnerability, LunaSec, 12/17/21
- Apache Log4j Security Vulnerabilities, Logging Services
- Apache Log4j Vulnerability Guidance, Cybersecurity & Infrastructure Security Agent (CISA)
- Download Apache Log4j 2, Log4j, 12/6/21
- Apache Log4j Security Vulnerabilities, Log4j, 12/6/21
- CVE-2021-44228, Mitre Corporation, 11/26/21
- The Log4j security flaw could impact the entire internet. Here's what you should know, CNN, 12/15/21
- 1.x end of life, Logging Services
- Security warning: New zero-day in the Log4j Java library is already being exploited, ZDNet, 12/10/21
- Zero-day in ubiquitous Log4j tool poses a grave threat to the Internet, Ars Technica, 12/10/21
- New zero-day exploit for Log4j Java library is an enterprise nightmare, Bleeping Computer, 12/10/21
- CVE-2021-44228 - Log4j RCE 0-day mitigation, Cloudflare Blog, 12/10/21
- RCE in log4j, Log4Shell, or how things can get bad quickly, Internet Storm Center, 12/10/21