LOG4J CVE-2021-44228 - Mitigation

A quick post to provide some resources which will help in the mitigation of this issue. We have updated this post to include information on the second LOG4J vulnerability CVE-2021-45046;

Preamble

This is my favourite representation of the issue;

log4j_attack.jpg

NIST

Has a load of useful resources related to LOG4J;

https://nvd.nist.gov/vuln/detail/CVE-2021-44228

NZ Cert

Has published an advisory;

https://www.cert.govt.nz/it-specialists/advisories/log4j-rce-0-day-actively-exploited/

Our Security Vendors

With both of these firewall vendors you will need to set the IPS protection to prevent as by default they are detect only.

Checkpoint

https://blog.checkpoint.com/2021/12/11/protecting-against-cve-2021-44228-apache-log4j2-versions-2-14-1/

https://www.checkpoint.com/defense/advisories/public/2021/cpai-2021-0936.html

Fortinet

https://www.fortiguard.com/encyclopedia/ips/51006

https://www.fortiguard.com/psirt/FG-IR-21-245

RSA

RSA have published an advisory on affected/not affected systems

https://community.rsa.com/t5/general-security-advisories-and/rsa-customer-advisory-apache-vulnerability-log4j2-cve-2021-44228/ta-p/660501

ESET

https://support.eset.com/en/alert8188-information-regarding-the-log4j2-vulnerability?ref=esf

General Notes

Native Firewalls

It you are running a firewall without IPS protection such as a native cloud firewall from Azure or AWS you are limited with what you can do, you would be well advised to deployed a full threat protection firewall or WAF to combat this (and other) issues, contact us to discuss further. See the bottom of this post for contact options.

Linux

You can use these commands to identify if LOG4J is present on your system. You wlll need to adapt the commands to suit your distribution of Linux.

Look for files

sudo find / -iname "log4j"

Look for packages

sudo apt list --installed | grep log4j

Tenable

https://www.tenable.com/blog/cve-2021-44228-proof-of-concept-for-critical-apache-log4j-remote-code-execution-vulnerability

https://www.tenable.com/blog/cve-2021-44228-cve-2021-45046-cve-2021-4104-frequently-asked-questions-about-log4shell

If you are still unsure, and, need a scan run of your system(s), please contact us as we have our deployment of Tenable Nessus Professional with both local and remote LOG4SHELL detection templates and can work with you to check your exposure. Contact us via our contact form on this website or log a ticket via our support portal if you have been granted access;

Contact Form

https://www.thinking.net.nz/contact-us

Support Portal

https://thinking.myportallogin.com.au/

and finally if you wondering how we feel after all of this well here you go...

LOG4J.jpg

Posted in Checkpoint, Fortigate, SecurID on Dec 13, 2021