Content, Breach

Apache Vulnerability: Java Log4j Zero Day Details, Log4Shell Patches and Updates

An Apache software vulnerability -- known as is CVE-2021-44228 -- is triggering concern across the Internet, SC Media reports. Chatter about the vulnerability -- which affects a Java logging package known as Log4j -- has spilled over into the MSP and MSSP markets, where companies such as BlackPoint Cyber, Huntress and others are weighing in with analysis about potential Log4Shell-related attacks.

Update: See this regularly updated Log4j vulnerability timeline.

In a statement, the Cybersecurity and Infrastructure Security Agency (CISA) on December 11, 2021 called the log4j vulnerability a "severe risk" and offered this four-step guidance to patch Log4j and mitigate potential Log4Shell cyberattacks.

Apache Log4j is a library for logging functionality in Java-based applications, Red Hat notes. A related Log4Shell exploit is active in the wild, Qualys adds. Also, Cybereason researchers have developed and released a Log4j vaccine fix that "requires only basic Java skills to implement and is freely available to any organization." the company says.

Related: MSP Software & Platform Companies Datto, N-able and Pax8 issue Log4j statements

Apache Log4j Vulnerability: More Details, Security Guidance for MSPs and MSSPs

Xavier Salinas, VP of threat operations, BlackPoint Cyber

The CVE-2021-44228 vulnerability allows unauthenticated remote code execution (RCE) on any Java application running a vulnerable version of Apache’s Log4j 2, noted Xavier Salinas, VP of threat operations at BlackPoint Cyber. "This is a VERY popular logging module," added Salinas.

A list of impacted applications is here. The quick-hit advice from Huntress to MSPs, MSSPs and the end-customers they serve:

"If your organization uses the log4j library, you should upgrade to log4j-2.1.50.rc2 immediately. Be sure that your Java instance is up-to-date; however, it’s worth noting that this isn’t an across-the-board solution. You may need to wait until your vendors push security updates out for their affected products."

Some additional advice from Salinas of BlackPoint Cyber:

"MSPs need to check every Java app they use whether commercial or in-house developed for log4j, a pattern match can be used as followed to see if an app could be vulnerable." He mentions log4j-core-*.jar

Apache Log4j: More Mitigation Guidance

If patching is not immediately possible there are a couple workarounds, Salinas notes:

  1. You can set the JVM parameter “log4j2.formatMsgNoLookups;” to True
  2. Put a WAF or Proxy in front of the vulnerable Java app and block access to connections with the User Agent header string “jndi:ldap” and “jndi:dns”

    3. Meanwhile, MSP-focused technology companies are checking their on software platforms for potential Log4j-related vulnerabilities. Statements from ConnectWise, Datto, Kaseya, N-able, NinjaOne and Pax8 are here.

    Blog originally published Friday, December 10. Updated regularly thereafter.

    Joe Panettieri

    Joe Panettieri is co-founder & editorial director of MSSP Alert and ChannelE2E, the two leading news & analysis sites for managed service providers in the cybersecurity market.

    Related

    Related Terms

    Attack Vector

    You can skip this ad in 5 seconds

    Cookies

    This website uses cookies to improve your experience, provide social media features and deliver advertising offers that are relevant to you.

    If you continue without changing your settings, you consent to our use of cookies in accordance with our privacy policy. You may disable cookies.