Apply vendor recommended patch updates released within the last few days
Until last Friday I was not familiar with Apache Log4j but I have learned that it makes use of Java Naming and Directory Interface (JNDI) to distribute java applications to lookup services in an abstract, resource-dependent way. The issue is that JNDI was built for efficiency and with minimal security measures in place. This means that Log4j's JNDI support allows unauthenticated remote code execution, and it is triggered when a specially crafted string provided by the attacker through a variety of different input vectors is parsed and processed by the Log4j 2 vulnerable component.
Microsoft blogged that they observed a bulk of website fingerprint for vulnerable sites using this string
CloudFlare blogged that they see an increase in vulnerable server reconnaissance using this string
followed by a browser specific attack
The one that surprised me the most is the non-encrypted request to port 443 (which is supposed to be secure) and they were successful.
So now that we know it is actively being exploited in the wild what can we do to secure ourselves?
- Upgrade Apache Log4j to version 2.16.0 or higher published on December 13 2021
If you cannot upgrade to version 2.16.0 or higher, implement these options
- For >=2.10, set system property log4j2.formatMsgNoLookups to true.
- For >=2.10, set environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS to true.
- For 2.0-beta9 to 2.10.0, remove JndiLookup.class from class path: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class.
- Disable JNDI, Set up spring.jndi.ignore=true
- Disable JNDI lookup, Set up log4j2.formatMsgNoLookups=true
2. Install a Web Application Firewall (WAF) to block malicious inbound requests
3. Block executable files from running unless they meet a prevalence, age, or trusted list criterion
4. Update your firewall signatures, most vendors have release critical updates within the last 48 hours
5. Some application vendors are also releasing critical patches so update your application
TrendMicro published a list of Indicator of Compromise that you can use to scan your environment.
Use Splunk guidance on how to search for it in your environment