Critical Vulnerability: Apache Log4j/LogJam
Chris Watkins
Head of Security
13/12/2021

Ultima have been made aware of a critical vulnerability which affects Log4j and is designated a 10 on the CVS vulnerability scale, the highest that a vulnerability can be classified. To learn more about the vulnerability, Mitre have published a handy article to support CVE-2021-44228: 

CVE - CVE-2021-44228 (mitre.org)

What is Log4j & how is it being attacked?
Log4j is used to process log data for an array of different uses from websites to other server-based applications which use the Java library/component. Log4j is a Java based logging library. The exploit requires an attacker to remotely access an endpoint and send arbitrary data logged or otherwise processed by the log4j engine.

Where has the vulnerability been detected?
Whilst the full extent of the products and services affected is unknown, our close vendors and partners are working through the impact statements now. An update from our strategic vendors can be found below:

Vendor

Product Vulnerability Status from the Vendor as of 13th December 2021

Details

Link for more info

Check Point

  • Not Vulnerable

Have released an IPS update to help mitigate the risk

Check Point response to Apache Log4j Remote
Code Execution (CVE-2021-44228)

Cisco

  • Some Products Vulnerable
  • Big list being reviewed by Cisco, some are confirmed as not vulnerable and others confirmed as being vulnerable with some still in evaluation

Refer to the link for more details

https://tools.cisco.com/security/center/content
/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd

Citrix

  • None announced as vulnerable so far, but many under investigation
  • Some confirmed not vulnerable (eg ADC Some variants, XenServer)
  • Others in progress

 

Citrix Security Advisory for Apache CVE-2021-44228

VMware

  • Some Products Vulnerable
  • Some confirmed vulnerable (eg ESX, vCenter) with a workaround available
  • Others in progress

Workarounds are available and patches are pending

https://www.vmware.com/security/advisories/VMSA-2021-0028.html

Microsoft

  • Microsoft have announced that so far, there is no evidence that any services are vulnerable, the biggest risk is applications/services running behind a Microsoft Service such as Azure IaaS

Microsoft are said to be working on WAF Managed rulesets to help protect

Defender Signatures are being updated to help protect

https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2/

Guidance for preventing, detecting, and hunting for CVE-2021-44228 Log4j 2 exploitation - Microsoft Security Blog

HPE

  • None announced as vulnerable so far, but all under investigation
  • HPE have announced that they are investigating and will be publishing more information on their security vulnerability pages as detailed in the links

 

Document - Notice: Apache Software Log4j - Security Vulnerability CVE-2021-44228 | HPE Support

  1. New Messages! (hpe.com)
  2. Security Advisories | Aruba (arubanetworks.com)

HP

No information published at this time

 

 

Nutanix

  • Some Products Vulnerable
  • Some are vulnerable with a Patch Pending and others in investigation

Nutanix WAF products have rules to help filter attempted exploits

Security Advisory 23-v1.3 (nutanix.com)

If you would like to learn more about the vulnerability, BlueTeam have created a cheatsheet on GitHub which you can find here:

BlueTeam CheatSheet * Log4Shell* | Last updated: 2021-12-12 2204 UTC · GitHub

How can I protect my systems?

  • Update where you can – A new version of Log4j (2.15.0) has been released with mitigates the remote code execution vulnerability. If this is difficult, product developers such as Unifi have started deploying new software versions which address this threat.
     
  • If you’re a developer – The feature that is vulnerable within Log4j can also be disabled by setting log4j2.formatMsgNoLookups flag to true, or remove the JndiLookup class from the classpath used by Java. This should only be done if you are sure of the implications and a comprehensive implementation and test plan has been created and executed.
     
  • Implement a next generation IPS – Such as Check Point with Intrusion Prevention System capabilities enabled were recently updated to prevent this exploit.
     
  • Bolster Network Security  - Because this vulnerability can also affect key infrastructure products such as VMWare, it would be advisable to setup access control lists or firewall rules to restrict access to certain approved management devices.
     
  • Refer to guidance from the NCSC for this vulnerability – The National Cyber Security Centre have published some guidance for this available here - https://www.ncsc.gov.uk/news/apache-log4j-vulnerability

Are you an Ultima Managed Services customer?
As your security experts, we have already been working through every internal application and service and we will be updating this blog when we have additional updates from our vendors. To remediate in the meantime, we have carried out the following:

  • Where customers have a managed firewall service, we have ensured that your firewalls IPS signatures are updated to help prevent the exploit
     
  • Our monitoring platform has been confirmed as not vulnerable by the vendor

Ultima Labs Statement
As our IA-Cloud platform is based on Microsoft Azure Services, there aren't any 3rd party integrations which could be vulnerable.

If you are still conscious about the vulnerability, please contact our Security Team and we will be on-hand to assist you.

17th DECEMBER UPDATE

What are Ultima doing to address the vulnerability within their systems?
Upon identification of the issue, we immediately undertook a review of all of our systems in partnership with our vendors to understand any systems that could potentially be vulnerable. We verified that our Next Generation Firewalls and Perimeter Security solutions were able to detect and block activity related to Log4j

Are any of Ultima’s systems vulnerable?
Any systems that were deemed vulnerable by the vendor have been remediated by implementing the approved solution from the vendor and have been validated via an internal vulnerability scan.

I’m a managed service customer, are any of your systems used to provide these services vulnerable?
All of the key solutions we use for our managed service customers are not vulnerable, we have shared a statement from LogicMonitor as many of our customers will have an on-premise collector as part of the monitoring platform - Log4Shell Security Vulnerability (CVE-2021-44228) | LogicMonitor


Full Name