Apache Log4j Vulnerabilities vs. GRC
On December 10, Apache released details about a Log4j-core vulnerability nicknamed "Log4Shell". It is documented in CVE-2021-44228, and rated a rare 10 out of 10 on the CVSS vulnerability rating scale. Log4j-core is a logging library that can query Java Naming and Directory Interface (JNDI) to access services such as LDAP and DNS.
The flaw, which allows for remote code execution (RCE), exists in the JNDI lookups feature, enabled by default in versions Log4j 2.0-beta9 to Log4j 2.14.1. The report says, "An attacker who can control log messages or log message parameters can execute arbitrary code loaded from malicious LDAP or DNS servers when message lookup substitution is enabled."
According to darkreading.com, "Attackers can exploit the feature to take complete remote control of vulnerable systems, which can include Internet-facing systems, internal systems, network components, virtual machines, industrial control and SCADA systems, and cloud-hosted assets."
Soon after that, Apache reported that a second Log4j vulnerability, CVE-2021-45046. According to the report, the new exploit allowed attackers to craft malicious input data using a JNDI lookup pattern to create denial-of-service (DoS) attacks.
Next, a third Log4j vulnerability was reported in CVE-2021-45105. The report states that the vulnerability "allows an attacker with control over Thread Context Map data to cause a denial of service when a crafted string is interpreted."
Because Log4j is a standard logging tool in Java environments, the Log4j vulnerabilities present a large attack surface across the internet. It is used in various web services, applications, and Operational Technology (OT) systems. According to CISA, "This is an evolving situation, and these vulnerabilities are likely to be exploited over an extended period."
Vulnerabilities in software libraries like Log4j are nothing new in software products. In 2021, attacks on 'Components with Known Vulnerabilities' moved from number 9 on the OWASP Top Ten to number 6 and were renamed 'Vulnerable and Outdated Components.' Software vulnerabilities are a practical reality, and mitigating such risks should be built into an organizations' Governance, Risk Management, and Compliance (GRC) program.
Mitigating Log4j Vulnerabilities
On December 22, CISA released Alert AA21-356A, guiding affected organizations with IT and cloud assets. Here is an outline summary of recommended steps to mitigate the Log4j vulnerability.
STEPS TO MITIGATE Log4j VULNERABILITIES1. Identify vulnerable assets
- Inventory all assets that make use of the Log4j library. According to public reports, adversaries may be patching and mitigating assets as they compromise them to hide and retain control. Assume all java and Log4j versions are vulnerable
- Treat known and suspected assets as compromised. Isolate them from the network until they can be mitigated
- Update Log4j libraries to the latest versions according to the Apache Log4j Security Vulnerabilities page
- Keep accurate records on patched assets. Records may help identify whether a threat actor patched the asset post-compromise.
- Use more than one method to determine if mitigation efforts have worked. Monitor the assets carefully and remain alert to updates from CISA and Apache.
- Conduct forensic investigation on suspected assets. Monitor login accounts for systems using Log4j. Inspect config changes made since December 1 and verify that they were intended.
- If compromise is detected, organizations should initiate incident response procedures. U.S. organizations should consider reporting incidents and vulnerabilities to CISA and the FBI.
- Continue to monitor assets closely and remain alert to updates from vendors of applicable software
- Block specific outbound TCP and UDP traffic such as LDAP and DNS
Defensive mitigation strategies are great when a vulnerability like Log4j shows up and helps organizations quickly respond to avoid, minimize or recover from an exploit. The best way to fight cybersecurity risk is to take a proactive approach by maintaining a robust GRC program. The best time to prepare for vulnerabilities and incidents is before they occur.
CISA - Cybersecurity Incident & Vulnerability Response Playbooks
In November, in response to the White House executive order 14028 on improving national cybersecurity, CISA published the Cybersecurity Incident and Vulnerability Response Playbooks. The playbooks are intended to standardize operational procedures used by Federal agencies to identify, remediate and recover from vulnerabilities (e.g., Log4j) and incidents. Although the playbooks are directed explicitly toward Federal Civilian Executive Branch (FCEB) agencies, CISA encourages private sector organizations to use them to benchmark their response practices.
CISA published the playbooks roughly a month before Apache released details of the three Log4j vulnerabilities. Following is a summary of the Vulnerability Response Playbook with notes on how it could have been applied to the Log4j vulnerabilities.
The CISA Vulnerability Response Playbook applied to Log4j
The vulnerability response playbook can be applied to vulnerabilities known to be "exploited in the wild," which typically have CVE descriptors, 'new' vulnerabilities that do not yet have CVEs, as well as internal vulnerabilities created by misconfigurations.
"Chance favors the prepared mind" – Louis Pasteur, 19th-century bacteriologist
Just as chance favors the prepared mind, effective vulnerability response favors the prepared organization. Killer vulnerability response is built on top of a robust risk management program.
Maintaining a comprehensive asset inventory is a crucial risk/vulnerability management component relevant to Log4j. For the Log4j example, an organization will have prior knowledge of all servers utilizing the Log4j logging library, the running software versions, and a record of any patches or configuration changes made to those systems. Once the vuln becomes known, the organization immediately understands its exposure and has taken the first step toward remediation.
Other essential aspects of preparation include:
- Policies and procedures – include roles and responsibilities
- Instrumentation – Antivirus, endpoint detection, data loss prevention, packet capture, intrusion detection and prevention, and security information and event management systems
- Trained personnel
- Cyber-threat intelligence monitoring – monitor intelligence feeds for threat and vulnerability advisories – use the MITRE ATT&CK framework Tactics, Techniques, and Procedures (TTP) as threat indicators and form an understanding of advisories behavior.
- Active defense – Sandbox, honeynet, and canaries
- Communications and logistics – coordination with agencies and partners, information sharing protocols and channels
- Operational security (OPSEC) – Ensure vulnerability response systems remain operational should the organization come under attack
Proactively monitor the threat landscape through information sources and internal system monitoring. Information sources include CISA/US-CERT cyber awareness system and NISTs' National Vulnerability Database (NVD). In the example of Log4j, alerts were issued by US-CERT, NIST, and the vendor, Apache. In advance of the reports, internal monitoring could potentially detect intrusions by attackers leveraging Log4j vulnerabilities.
Determine if the vulnerability exists in the system and the criticality of potentially affected systems.
Remediation efforts include patching or other workarounds and prevention techniques. Appropriate mitigations may include isolating systems, making permanent configuration changes, disabling unneeded services (e.g., disabling JNDI by default), reconfiguring firewalls, or increasing monitoring. For example, one of the recommended mitigations' for Log4j is to disable specific outbound TCP and UDP packets, including LDAP and DNS. The goal is to understand the status of each system as either not affected, susceptible, or compromised.
Reporting and Notification
Ten years ago, organizations were often reluctant to share vulnerability and incident information with others, including federal agencies. There is no longer a stigma attached to being cyber-attacked as the industry has learned that practically all services and organizations are under constant attack. Information sharing has evolved as an effective tool for fighting advisories. Consider reporting vulnerabilities and incidents to partners and agencies like CISA and the FBI.
For the Log4j example, shared information helps organizations become aware of vulnerabilities more quickly and execute appropriate response activities.
Governance, Risk Mitigation, and Compliance (GRC)
As cyber-vulnerabilities increase organizations' hazard and control risks, the corresponding growth of laws and regulations also increases compliance risks. Increasingly penalties are directed personally toward executive managers as the corporate governance team. Compliance risk captures the legal and financial penalties organizations face.
The concept of GRC is evolving as a way for organizations to take a holistic approach to governance, cybersecurity, and compliance risk. GRC is an approach that involves the entire organization and is designed to be both effective and cost-efficient. GRC reduces the effect of siloed operations and improves the organizations' overall control, security and compliance. Look for more on GRC in future blogs.
The Log4j vulnerabilities are an evolving threat, nearly ubiquitous across the internet. We will likely learn more about it and new related vulnerabilities in weeks to come. Opensource and shared libraries are a software reality, and vulnerabilities in such code represent a sort of persistent threat for which organizations need to be on the lookout.
CISA, Apache, NIST, and other agencies have provided specific guidance to remediating Log4j vulnerabilities. The best defense against Log4j and similar vulnerabilities is to take a proactive approach. Proactive defenses could include robust cybersecurity risk management and GRC programs.
Building a cybersecurity risk management or a robust GRC program can seem like a complex challenge. Not every organization has the internal skill set to navigate the complicated cybersecurity and risk management landscape on its own.
Truvantis is a cybersecurity consulting organization with comprehensive expertise in implementing, testing, auditing, and operating information security programs. We specialize in helping our customers improve their cybersecurity posture through practical, effective, and actionable programs—balancing security, technology, business impact, and organizational risk tolerance.
Contact Truvantis today and see how we can help design cybersecurity risk management and compliance tailored to your organization's size, scope, and business goals.