An Apache software vulnerability -- known as is CVE-2021-44228 -- is triggering concern across the Internet, SC Media reports. Chatter about the vulnerability -- which affects a Java logging package known as Log4j -- has spilled over into the MSP and MSSP markets, where companies such as BlackPoint Cyber, Huntress and others are weighing in with analysis about potential Log4Shell-related attacks.
Update: See this regularly updated Log4j vulnerability timeline.
In a statement, the Cybersecurity and Infrastructure Security Agency (CISA) on December 11, 2021 called the log4j vulnerability a "severe risk" and offered this four-step guidance to patch Log4j and mitigate potential Log4Shell cyberattacks.
Apache Log4j is a library for logging functionality in Java-based applications, Red Hat notes. A related Log4Shell exploit is active in the wild, Qualys adds. Also, Cybereason researchers have developed and released a Log4j vaccine fix that "requires only basic Java skills to implement and is freely available to any organization." the company says.
Related: MSP Software & Platform Companies Datto, N-able and Pax8 issue Log4j statements
Apache Log4j Vulnerability: More Details, Security Guidance for MSPs and MSSPs
The CVE-2021-44228 vulnerability allows unauthenticated remote code execution (RCE) on any Java application running a vulnerable version of Apache’s Log4j 2, noted Xavier Salinas, VP of threat operations at BlackPoint Cyber. "This is a VERY popular logging module," added Salinas.
A list of impacted applications is here. The quick-hit advice from Huntress to MSPs, MSSPs and the end-customers they serve:
"If your organization uses the log4j library, you should upgrade to log4j-2.1.50.rc2 immediately. Be sure that your Java instance is up-to-date; however, it’s worth noting that this isn’t an across-the-board solution. You may need to wait until your vendors push security updates out for their affected products."
Some additional advice from Salinas of BlackPoint Cyber:
"MSPs need to check every Java app they use whether commercial or in-house developed for log4j, a pattern match can be used as followed to see if an app could be vulnerable." He mentions log4j-core-*.jar
Apache Log4j: More Mitigation Guidance
If patching is not immediately possible there are a couple workarounds, Salinas notes:
- You can set the JVM parameter “log4j2.formatMsgNoLookups;” to True
- Put a WAF or Proxy in front of the vulnerable Java app and block access to connections with the User Agent header string “jndi:ldap” and “jndi:dns”
Meanwhile, MSP-focused technology companies are checking their on software platforms for potential Log4j-related vulnerabilities. Statements from ConnectWise, Datto, Kaseya, N-able, NinjaOne and Pax8 are here.
Blog originally published Friday, December 10. Updated regularly thereafter.
