Log4j

Log4j Vulnerability Assessment & Response

UPDATED: 12/22/2021 @ 12:57 pm Eastern

Background:

On December 10, 2021 a novel remote code execution vulnerability was released into the wild;
Tracked as CVE-2021-44228, this vulnerability affected Apache’s Log4j software library. This
software library is very broadly used in a variety of consumer and enterprise services, websites, and
applications—as well as in operational technology products—to log security and performance
information. An unauthenticated remote actor could exploit this vulnerability to take control of an
affected system. Following Apache’s release of the original CVE-2021-44228 patch, security
researchers identified related vulnerabilities in Apache Log4j 2.12.2 (Java 7) and 2.16.0 (Java 8) on
December 13, 2021. These subsequent RCE vulnerabilities were tracked using CVE-2021-45046
with a patch released on December 13, 2021. The combined application of these patches in Java 8
environments were subsequently identified to contain a Denial of Service (DoS) vulnerability, tracked
under CVE-2021-45105. This vulnerability was resolved with a release of Log4j 2.17.0 for Java 8 on
December 17, 2021.

Update: 12/22/2021 1641 UTC: Using updated guidance provided by CISA alert AA21-356a, CIT is performing a third wave of evaluation across all managed client environments for vulnerable software libraries and services. CIT is using a combination of on-device vulnerability analysis using commercial vulnerability management tools, reported software vulnerability posture statements provided by software vendors, and network-based vulnerability analysis using a mechanism of simulated exploitation of the Log4J attack vector.

Internal Systems:

CIT’s internal systems are constructed using the NIST National Cybersecurity Center of Excellence
(NCCoE) Managed Services Provider reference architecture. This architecture is highly segmented
with strong detective and preventative controls embedded throughout. It is designed to be resistant to
zero-day vulnerabilities such as those introduced by the related Log4j vulnerabilities. Prior to the
release of these vulnerabilities, CIT subjects its internal and external network systems to daily full-
network vulnerability scans by a commercial third party.

Internal Systems Response Timeline:
  • CIT implemented network-edge controls to arrest and detect exploitation of the Log4j vulnerability between each of its network subnets on December 10th, 2021 -hours after the initial announcement.
  • CIT has worked with each of its internal software providers to determine their vulnerability and response to the three related Log4j vulnerabilities. This assessment was completed in the early hours of December 11th, 2021.
  • On December 11th, 2021 one on-premise software package, that was identified through CIT’s network vulnerability scanning as vulnerable. This package was remediated immediately. No exploitation has been observed.
  • On December 12, 2021, an on-premise software package was identified as potentially vulnerable and out of an abundance of caution, this package’s use was suspended until such time the vulnerability could be confirmed to be remediated. No exploitation has been observed.
  • We are performing daily external vulnerability scans using a commercial third-party, while we validate there is no unreported exposure by our software vendors.
  • Similarly, we are actively scanning each of our internal network subnets using a separate commercial vulnerability scanner.
  • As of December 15, 2021, we have completed thorough software analysis and remediated all internal vulnerabilities to the log4j vulnerabilities.
  • Real-time monitoring of CIT’s network boundaries is being performed for any attempted log4j exploitation.
  • CIT implemented network-edge controls to arrest and detect exploitation of the Log4j vulnerability between each of its network subnets on December 10th, 2021 -hours after the initial announcement.
  • CIT has worked with each of its internal software providers to determine their vulnerability and response to the three related Log4j vulnerabilities. This assessment was completed in the early hours of December 11th, 2021.
  • On December 11th, 2021 one on-premise software package, that was identified through CIT’s network vulnerability scanning as vulnerable. This package was remediated immediately. No exploitation has been observed.
  • On December 12, 2021, an on-premise software package was identified as potentially vulnerable and out of an abundance of caution, this package’s use was suspended until such time the vulnerability could be confirmed to be remediated. No exploitation has been observed.
  • We are performing daily external vulnerability scans using a commercial third-party, while we validate there is no unreported exposure by our software vendors.
  • Similarly, we are actively scanning each of our internal network subnets using a separate commercial vulnerability scanner.
  • As of December 15, 2021, we have completed thorough software analysis and remediated all internal vulnerabilities to the log4j vulnerabilities.
  • Real-time monitoring of CIT’s network boundaries is being performed for any attempted log4j exploitation.
  • Update: 12/22/2021 1755 UTC: CIT Completed internal analysis of its systems using CISA’s prescribed methodologies under AA21-356a and found no systems or software vulnerable to the set of exploits.
Managed Systems Response Timeline:

Due to the highly inter-related nature of these vulnerabilities, CIT has treated the aggregate of
these vulnerabilities as a single critical software vulnerability incident.

CIT through it’s relationships with the Center for Internet Security, Fortinet’s Product Security and
Incident Response Team (PSIRT), and CISA’s joint cyber defense initiative, obtained publicly
available vulnerability details as well as non-public proof of concept exploitation code on
December 10, 2021. Using this information, CIT has treated this vulnerability as a critical
widespread vulnerability and immediately began a process of quantification, containment, and
prioritized remediation of the network and computer systems under its active management.

The approach we chose was to first implement strong controls to broadly block what was
expected to be a large number of attacks targeting this vector. This was begun at the external
network edge (facing the Internet) and then inward to and between internal network segments.
This approach follows guidance offered by CISA and is consistent with recognized incident
handling protocols.

  • On December 10th, Intrusion Detection signatures for the log4j exploitation attack were distributed to all managed firewall devices. CIT used a strategy of outside-to-inside containment and mitigation in the prioritized deployment of this signature.
  • On December 10th, CIT discovered that one of its enterprise software packages was vulnerable to the Log4j vulnerability. This vulnerability was remediated in the early hours of December 11th.
  • Completing in the early hours of December 11th, all inbound and outbound traffic flowing through CIT managed firewall devices was being inspected and controlled for exploitation of Log4j vulnerabilities.
  • On December 11th, a small number of software manufacturers had reported their respective software status and vulnerability to the Log4j vulnerability. Using this preliminary data, CIT began assessing installed software across all managed servers and workstations for the presence of vulnerable software based on the manufacturer’s responses.
  • On December 13th, CIT began a widespread campaign to identify vulnerable software within its clients’ managed environments. Using an increasing library of software vendor vulnerability statements, installed software versions were compared to those stated as vulnerable by the respective software vendor.
  • Beginning on December 13, available software patches began to be identified and their impact evaluated for installation to vulnerable environments.
  • Reliable vulnerability signatures for the three related CVEs this update relates to on December 13th, 2021. Using software installed on each managed endpoint, detailed library-level vulnerability assessment was performed.
  • Beginning on December 16th, daily review of application and intrusion detection events specific to Log4j attack and exploitation is being conducted by CIT personnel.
  • Daily updates to the vulnerability posture of enterprise software continues to be released by software manufacturers. CIT’s deployed enterprise vulnerability management software is performing daily assessment of all managed endpoints to compare with these updates.
  • Beginning on December 16th, Daily full-network vulnerability scans are taking place for Clients that subscribe to network-based device vulnerability scanning
  • CIT is reviewing vulnerability posture of its managed clients on a daily basis as additional software vendors release updated and revised vulnerability posture statements.
  • UPDATE: On December 22, CISA issued updated guidance for the detection and mitigation of the group of related Log4J vulnerabilities, CISA AA21-356a. Using this guidance, CIT evaluated each managed client’s environment using a set of three overlapping detective methodologies. This includes on-machine vulnerability analysis, evaluation of software vendors’ reported vulnerability posture using CISA’s centrally maintained list, and through evaluating all network-attached devices for their exploitability using a network-based scanning methodology.

CorpInfoTech (Corporate Information Technologies) provides small to mid-market organizations with expert I.T. services including compliance assessment, cybersecurity penetration tests, and comprehensive business continuity planning services. Corporate Information Technologies can help organizations, quantify, create, refine, and mitigate the risks presented by business threatening disasters in whatever form they may be disguised.

CIT
#

Comments are closed

Learn More
error: Alert: This Content is protected!