Content, Breach

Apache Vulnerability: Java Log4j Zero Day Details, Log4Shell Patches and Updates


An Apache software vulnerability -- known as is CVE-2021-44228 -- is triggering concern across the Internet, SC Media reports. Chatter about the vulnerability -- which affects a Java logging package known as Log4j -- has spilled over into the MSP and MSSP markets, where companies such as BlackPoint Cyber, Huntress and others are weighing in with analysis about potential Log4Shell-related attacks.

Update: See this regularly updated Log4j vulnerability timeline.

In a statement, the Cybersecurity and Infrastructure Security Agency (CISA) on December 11, 2021 called the log4j vulnerability a "severe risk" and offered this four-step guidance to patch Log4j and mitigate potential Log4Shell cyberattacks.

Apache Log4j is a library for logging functionality in Java-based applications, Red Hat notes. A related Log4Shell exploit is active in the wild, Qualys adds. Also, Cybereason researchers have developed and released a Log4j vaccine fix that "requires only basic Java skills to implement and is freely available to any organization." the company says.

Related: MSP Software & Platform Companies Datto, N-able and Pax8 issue Log4j statements

Apache Log4j Vulnerability: More Details, Security Guidance for MSPs and MSSPs

Xavier Salinas, VP of threat operations, BlackPoint Cyber

The CVE-2021-44228 vulnerability allows unauthenticated remote code execution (RCE) on any Java application running a vulnerable version of Apache’s Log4j 2, noted Xavier Salinas, VP of threat operations at BlackPoint Cyber. "This is a VERY popular logging module," added Salinas.

A list of impacted applications is here. The quick-hit advice from Huntress to MSPs, MSSPs and the end-customers they serve:

"If your organization uses the log4j library, you should upgrade to log4j-2.1.50.rc2 immediately. Be sure that your Java instance is up-to-date; however, it’s worth noting that this isn’t an across-the-board solution. You may need to wait until your vendors push security updates out for their affected products."

Some additional advice from Salinas of BlackPoint Cyber:

"MSPs need to check every Java app they use whether commercial or in-house developed for log4j, a pattern match can be used as followed to see if an app could be vulnerable." He mentions log4j-core-*.jar

Apache Log4j: More Mitigation Guidance

If patching is not immediately possible there are a couple workarounds, Salinas notes:

  1. You can set the JVM parameter “log4j2.formatMsgNoLookups;” to True
  2. Put a WAF or Proxy in front of the vulnerable Java app and block access to connections with the User Agent header string “jndi:ldap” and “jndi:dns”

Meanwhile, MSP-focused technology companies are checking their on software platforms for potential Log4j-related vulnerabilities. Statements from ConnectWise, Datto, Kaseya, N-able, NinjaOne and Pax8 are here.

Blog originally published Friday, December 10. Updated regularly thereafter.

Joe Panettieri

Joe Panettieri is co-founder & editorial director of MSSP Alert and ChannelE2E, the two leading news & analysis sites for managed service providers in the cybersecurity market.