Addressing Apache Log4j A zero-day vulnerability

Problem 

 According to the Cloudflare Blog, “In the affected Log4j versions, Java Naming and Directory Interface (JNDI) features used in configuration, log messages, and parameters can be exploited by an attacker to perform remote code execution. Specifically, an attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.” 
 

Affected Versions 

Apache Log4j 2.0-beta9 up to 2.15.0 

The Apache Log4J vulnerability is being actively exploited, and organizations the world over are being affected. KSU Division of IT continues to scan KSU networks and take other steps to address this zero day for those systems that are currently under the management of the Division.  System, application, and server owners are being asked to review your technology to determine if it might be at risk for this vulnerability and are instructed to measures identified here to evaluate and remediate this vulnerability.  This vulnerability is considered a zero-day exploit and requires vendor or Apache patches be applied to remediate it.   

We also recommend you continue to monitor for indications of compromise on systems that may have had a vulnerable version of log4j at any point since December 1, 2021. Refer to  KSU Log4J Security Scanning and Monitoring Guide  
 

Action Items 

• Log4J is embedded in a large number of commercial software applications. Be aware of any vendor updates for these packages and apply patches as quickly as possible.   
• Update to version 2.16.0 of Apache Log4j as soon as possible after appropriate testing. 
• If updating to the latest version is not possible, mitigate exploit attempts by removing the JndiLookup class from the classpath or set the environmental variable LOG4J_FORMAT_MSG_NO_LOOKUPS to true when starting the Java Virtual Machine effectively makes the vulnerability not exploitable.  See this Darkreading.com article for more info What to Do While Waiting for the Log4J Updates (darkreading.com). 
• KSU has established a Cyber Security Incident Response Team (KSU- CSIRT) who can assist and/or advise with remediation.   
• Develop a list of evaluated applications, systems, or servers then please forward this to the Kent State Cyber Security Incident Response Team (KSU CSIRT) at Security@kent.edu.  (Subject Line: “LOG4J Concerns”)   
• The CSIRT encourages that if you can take action to patch these systems, that you not wait to communicate these to the KSU CSIRT to take action. Simply identify those that have been remediated in your list.   The KSU CSIRT is here to support and help point you to the tools you might need.   
   

Indicators of potential compromise: 

• Unusually high CPU utilization, system slowness 
• Unexpected processes, system changes, services, network connections, and new users/groups 
• Unusual messages in logs 
• Hacker actions may include cryptocurrency mining, ransomware, malware infection, denial of service attacks, and sensitive data exfiltration. 
   

Threats  

Exploit code is publicly available, widespread scanning for vulnerable systems is occurring, and this vulnerability is being exploited actively in the wild.  Attackers are using this exploit to install crypto-mining or ransomware malware.  It has been revealed that attackers are now exploiting a second (and potentially third) vulnerability in LOG4J code that may allow for denial of service attacks and exfiltration of sensitive data to be carried out.  See CVE-2021-45046 for more information.  This exploit is also remediated with version 2.16.0 of Apache Log4j updates.   
 

Technical Details 

For details, see Apache Log4j Security Vulnerabilities. 
 

How We Protect KSU 

KSU IT provides Microsoft Defender Endpoint for use on all KSU owned machines, (Windows, macOS, and Linux operating systems, whether workstations or servers). Once joined to Microsoft Security Center, we can provide your IT support personnel access to the Kent State Microsoft Security Center Console for scanning, monitoring, and reporting on your affected endpoints.  This will allow your team to investigate and remediate any issues. The KSU Information Security Team is here to assist by sending your list to Security@kent.edu (Subject line: “LOG4J Concerns”) 

Additionally, we are taking actions within our network to block known nefarious traffic.  This is why your reporting of issues is critical to allow us to enhance these defenses.   
 

Information for Users 

In general, the best protection for your devices is this: keep your software and apps up-to-date, do not click suspicious links in email, do not open shared documents or email attachments unless you are expecting them and trust the person who sent them, and only use secure, trusted networks.  
 

Questions, Concerns, Reports 

Please contact Security@kent.edu Subject Line:  “LOG4j Concerns” 
 

References 

• What is Apache Log4j Java-based logging utility 
• What to Do While Waiting for the Log4J Updates (darkreading.com), Darkreading.com, 12/10/21 
• Security warning: New zero-day in the Log4j Java library is already being exploited, ZDNet, 12/10/21 
• Zero-day in ubiquitous Log4j tool poses a grave threat to the Internet, Ars Technica, 12/10/21 
• New zero-day exploit for Log4j Java library is an enterprise nightmare, Bleeping Computer, 12/10/21 
• CVE-2021-44228 - Log4j RCE 0-day mitigation, Cloudflare Blog, 12/10/21 
• Download Apache Log4j 2, Log4j, 12/6/21 
• RCE in log4j, Log4Shell, or how things can get bad quickly, Internet Storm Center, 12/10/21 
• Apache Log4j Security Vulnerabilities, Log4j, 12/6/21 
• CVE-2021-44228, Mitre Corporation, 11/26/21 
• CVE-2021-45046, Mitre Corporation, 12/12/21 
• Log4Shell Update: Second log4j Vulnerability Published (CVE-2021-44228 + CVE-2021-45046) | LunaSec, lunasec,