Cybereason Solutions Are Not Impacted by Apache Log4j Vulnerability (CVE-2021-44228)

UPDATE: Cybereason researchers have released an updated "vaccine” with permanent mitigation option for the Log4Shell vulnerabilities (CVE-2021-44228 and CVE-2021-45046) which is freely available on GitHub and relatively simple to implement... - more details here...

A newly revealed vulnerability impacting Log4j 2 versions 2.0 to 2.14.1 was disclosed on the project’s GitHub on December 9, 2021, and designated as CVE-2021-44228 with the highest severity rating of 10. The flaw has been dubbed Log4Shell.

Log4j 2 is an open source Java logging library that is widely used in a range of software applications and services around the world. The vulnerability can allow threat actors the opportunity to take control of any Java-based, internet-facing server and engage in Remote Code Execution (RCE) attacks. 

From CVE-2021-44228 detail: “An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.” The impact from this vulnerability is likely to be very widespread. There are already reports that threat actors are actively engaged in mass Internet scanning to identify servers vulnerable to exploitation. 

Cybereason is aware of the vulnerability and has completed verification that this issue does not affect Cybereason products or services

For those who are concerned about closing third-party vulnerabilities (i.e., products aside from Cybereason), the following are some proactive measures organizations can take to reduce the risk posed by CVE-2021-44228:

    • Upgrade to Apache og4j-2.1.50.rc2, as all prior 2.x versions are vulnerable
    • For Log4j version 2.10.0 or later, block JNDI from making requests to untrusted servers by setting the configuration value log4j2.formatMsgNoLookups to “TRUE” to prevent LDAP and other queries
    • Default both com.sun.jndi.rmi.object.trustURLCodebase and com.sun.jndi.cosnaming.object.trustURLCodebase to "FALSE" to prevent Remote Code Execution attacks in Java 8u121

If you believe your organization has already potentially been compromised through exploitation of CVE-2021-44228, contact the Cybereason Incident Response Team or reach out to your Cybereason representative for immediate assistance. We are here to help and will provide tools and information to assist others as this vulnerability continues to evolve.

Sam Curry
About the Author

Sam Curry

Sam Curry is CSO at Cybereason and is a Visiting Fellow at the National Security Institute. Previously, Sam was CTO and CISO for Arbor Networks (NetScout) and was CSO and SVP R&D at MicroStrategy in addition to holding senior security roles at McAfee and CA. He spent 7 years at RSA, the Security Division of EMC as Chief Technologist and SVP of Product. Sam also has over 20 patents in security from his time as a security architect, has been a leader in two successful startups and is a board member of the Cybersecurity Coalition, of SSH Communications and of Sequitur Labs.

All Posts by Sam Curry