Cybereason Solutions Are Not Impacted by Apache Log4j Vulnerability (CVE-2021-44228)
December 10, 2021 |
1 minute read
UPDATE: Cybereason researchers have released an updated "vaccine” with permanent mitigation option for the Log4Shell vulnerabilities (CVE-2021-44228 and CVE-2021-45046) which is freely available on GitHub and relatively simple to implement... - more details here...
A newly revealed vulnerability impacting Apache Log4j 2 versions 2.0 to 2.14.1 was disclosed on the project’s GitHub on December 9, 2021, and designated as CVE-2021-44228 with the highest severity rating of 10. The flaw has been dubbed Log4Shell.
Log4j 2 is an open source Java logging library that is widely used in a range of software applications and services around the world. The vulnerability can allow threat actors the opportunity to take control of any Java-based, internet-facing server and engage in Remote Code Execution (RCE) attacks.
Cybereason is aware of the vulnerability and has completed verification that this issue does not affect Cybereason products or services.
For those who are concerned about closing third-party vulnerabilities (i.e., products aside from Cybereason), the following are some proactive measures organizations can take to reduce the risk posed by CVE-2021-44228:
For Log4j version 2.10.0 or later, block JNDI from making requests to untrusted servers by setting the configuration value log4j2.formatMsgNoLookups to “TRUE” to prevent LDAP and other queries
Default both com.sun.jndi.rmi.object.trustURLCodebase and com.sun.jndi.cosnaming.object.trustURLCodebase to "FALSE" to prevent Remote Code Execution attacks in Java 8u121
If you believe your organization has already potentially been compromised through exploitation of CVE-2021-44228, contact the Cybereason Incident Response Team or reach out to your Cybereason representative for immediate assistance. We are here to help and will provide tools and information to assist others as this vulnerability continues to evolve.
About the Author
Sam Curry is CSO at Cybereason and is a Visiting Fellow at the National Security Institute. Previously, Sam was CTO and CISO for Arbor Networks (NetScout) and was CSO and SVP R&D at MicroStrategy in addition to holding senior security roles at McAfee and CA. He spent 7 years at RSA, the Security Division of EMC as Chief Technologist and SVP of Product. Sam also has over 20 patents in security from his time as a security architect, has been a leader in two successful startups and is a board member of the Cybersecurity Coalition, of SSH Communications and of Sequitur Labs.