Apache log4j

Cyber Security and Incident Response Advisory – Updated 14 December 2021

The Apache Software Foundation has released a security advisory to address a remote code execution vulnerability (CVE-2021-44228) affecting Log4j versions 2.0-beta9 to 2.14.1.

A remote attacker could exploit this vulnerability to take control of an affected system. Log4j is an open-source, Java-based logging utility widely used by enterprise applications and cloud services.

Reports show that this vulnerability is being actively exploited.

Recommendations

The vulnerability impacts the open source Java-based logging framework, Apache log4j, which is used in many Java applications. The vulnerability is in the form of a Remote Code Execution.

If exploited, an attacker can instruct the compromised server to download and execute malicious activity. This can result in data theft, damage to data and disruption to computer-based systems or processes.

The vulnerability is affecting systems and services that use the Java logging library, Apache log4j, between versions 2.0 and 2.14.1. There is also a growing list of software known to be affected. We’ve included more detail on this below, along with steps you or your IT provider can take to search for any attempts that cybercriminals may have made to target your systems.

Run system updates
Technology companies are working to release system updates (or ‘patches’) to address the vulnerability. The best thing you can do is look out for any updates and install them as soon as you can. Do this whether you think the issue impacts your systems or not.

We recommend reviewing the Apache Log4j 2.15.0 Announcement and upgrade to Log4j 2.15.0 or apply the recommended mitigations immediately. Further recommendations are available in the following link log4j RCE Exploitation Detection.

Examples of impacted software

References

Apache

Mitre

Swithak – Blue team cheat sheet for Log4Shell

Microsoft – Guidance for preventing, detecting, and hunting for CVE-2021-44228 Log4j 2 exploitation

Government Advisories

Emergency Directive (ED) 22-02: Mitigate Apache Log4j Vulnerability

CISA – Mitigating Log4Shell and Other Log4j-Related Vulnerabilities (The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), National Security Agency (NSA), Australian Cyber Security Centre (ACSC), Canadian Centre for Cyber Security (CCCS), the Computer Emergency Response Team New Zealand (CERT NZ), the New Zealand National Cyber Security Centre (NZ NCSC), and the United Kingdom’s National Cyber Security Centre (NCSC-UK) are releasing this joint Cybersecurity Advisory (CSA) to provide mitigation guidance on addressing vulnerabilities in  Apache’s Log4j software library)

CISA – Apache Log4j Vulnerability Guidance

CERT NZ – Log4j RCE 0-day actively exploited

US CERT – Apache Releases Log4j Version 2.15.0 to Address Critical RCE Vulnerability Under Exploitation

US CERT – Apache Log4j Vulnerability Guidance


This Advisory is prepared for general guidance and does not constitute formal advice. This information should not be relied on without obtaining specific formal advice. We do not make any representation as to the accuracy or completeness of the information contained within this Advisory. Incident Response Solutions Limited does not accept any liability, responsibility or duty of care for any consequences of you or anyone else acting, or refraining to act, when relying on the information contained in this Bulletin or for any decision based on it.

Traffic Light Protocol = White