NCC Group is investigating the recently published vulnerability in Apache Log4j in order to improve detection and response capabilities and help our customers to mitigate the threat.
NCC Group does not use Log4j directly in the products that we develop and sell to our customers.
Some third party enterprise software that we use is susceptible to the vulnerability, and we are tracking vendor remediations and implementing them as soon as they are available.
Our security operations centre (SOC) monitors our IT systems and has not detected any successful attempts to exploit this vulnerability on our IT systems.
News of the Log4Shell vulnerability broke in mid-December 2021 when a security researcher sounded the alarm. Now, a worldwide race to either patch or exploit it has ensued between researchers and threat actors, including nation-states, criminal groups, and crypto miners. The ripple effect could include sensitive data exfiltration and ransomware attacks, and could last months or years.
Described as critical and high-level, the zero-day vulnerability is found in Log4j, a Java-based logging tool developed by the Apache Foundation. It effectively impacts any organization that incorporates Java within the software they use or create.
Are you concerned that your organization has the Log4Shell vulnerability? Read on to find context and resources for live updates, our simple Log4j vulnerability fix, recommendations, and more.
What is Log4j?
Log4j is a widely-utilized logging framework for Java. It can be integrated with Java Naming and Directory Interface (JNDI), an API that abstracts naming and directory services, thus enabling Java applications to look up resources as Java objects. This integration, accessible to almost any logged string input through Log4j, is where the vulnerability lies.
Unfortunately, JNDI is flexible in nature, and it’s this flexibility within templating in logged strings that makes the vulnerability especially difficult to detect or investigate.
Are you unsure if you were affected by the Log4j vulnerability?
Test for the Log4j vulnerability with Managed Detection and Response (MDR) or Managed Vulnerability Scanning Services (MVSS), or reach out to a detection expert for help.
What should organizations do if they suspect they have the Log4j vulnerability?
As with many zero-day vulnerabilities, you may not know whether your organization's software incorporates Log4j.
The crucial first step is to find out whether you use Log4j. Next, put measures in place to identify and respond to any threats that may occur in the future due to this vulnerability. Patching the Log4j vulnerability as soon as possible helps prevent exploitation.
1. Identify vulnerable software/devices via:
-
- Asset inventories;
- Software bill of material manifests;
- Software build pipeline dependency manifests (e.g. Maven, etc.);
- Vendor bulletins (see below);
- File system discovery (see below) on Windows and Linux to identify class files;
- Log file analytics to identify log4j like entries, and
- Exploitation (see below).
2. Software developers should ensure they strictly enforce via Gradle and similarly non vulnerable versions of log4j to mitigate transient dependencies.
3. When encountering Log4Shell/Log4J/CVE-2021-44228 related artefacts, please consider doing the following:
-
- Create a machine snapshot or create clone of virtual servers. Include memory, if possible, successful exploits might run in-memory only;
- Secure firewall logs;
- Secure flow logs; and
- Secure proxy logs.
4. Patch vulnerable software for which patches are available (see vendor bulletins). A hot patch also exists (see below).
5. Limit network egress from hosts where vulnerable software exists when possible.
6. Mitigate through configuration changes as specified in our Research blog, linked in our Further Reading below.
7. Ensure protective monitoring via extensive scanning of:
-
- Network for remote class loading;
- On host for remote class loading;
- On host for unexpected command execution; and
- For a mitigation hotfix, also see our Research blog.
How We Can Help
Further Reading on Log4j
Still unsure which next steps your business should take to detect or mitigate the Log4j vulnerability?
Reach out to a cyber security expert, or have us call you back. We'll help you find out if you were affected, if your operations have been impacted, and start the mitigation process.