Apache Log4j Vulnerability: More Details, Security Guidance for MSPs and MSSPs
Xavier Salinas, VP of threat operations, BlackPoint CyberThe CVE-2021-44228 vulnerability allows unauthenticated remote code execution (RCE) on any Java application running a vulnerable version of Apache’s Log4j 2, noted Xavier Salinas, VP of threat operations at BlackPoint Cyber. "This is a VERY popular logging module," added Salinas.
"If your organization uses the log4j library, you should upgrade to log4j-2.1.50.rc2 immediately. Be sure that your Java instance is up-to-date; however, it’s worth noting that this isn’t an across-the-board solution. You may need to wait until your vendors push security updates out for their affected products."
Some additional advice from Salinas of BlackPoint Cyber:
"MSPs need to check every Java app they use whether commercial or in-house developed for log4j, a pattern match can be used as followed to see if an app could be vulnerable." He mentions log4j-core-*.jar
Apache Log4j: More Mitigation Guidance
If patching is not immediately possible there are a couple workarounds, Salinas notes:
You can set the JVM parameter “log4j2.formatMsgNoLookups;” to True
Put a WAF or Proxy in front of the vulnerable Java app and block access to connections with the User Agent header string “jndi:ldap” and “jndi:dns”
Joe Panettieri is co-founder & editorial director of MSSP Alert and ChannelE2E, the two leading news & analysis sites for managed service providers in the cybersecurity market.
Security providers that enforce the basics at scale are better positioned to eliminate simple vulnerabilities and manage the most persistent risk in any environment: human behavior.