How to protect your systems against the log4j zero-day vulnerability
In recent days, security researchers reported that a zero-day, high-impact and high-severity vulnerability was found in the popular log4j Java library. The vulnerability was tracked as CVE-2021-44228 and given the named "Log4Shell" or "LogJam". The flaw affected Apache log4j up to 2.14.1 through an unknown part of the component JNDI LDAP Server Lookup Handler. Potential threat vectors include exploitation that could facilitate unauthenticated remote code execution (RCE) and possibly access to endpoints and server estates.
The log4j Java library is widely used by many cloud services and enterprise applications; moreover, nearly all infrastructure and network systems run some kind of logging process, which gives popular libraries like log4j an enormous reach.
The best possible mitigation is suggested to be upgrading to the latest version, which is 2.15.0. However, it is possible to mitigate the vulnerability by applying the configuration setting log4j2.formatMsgNoLookups = true.
Cybersecurity and Infrastructure Security Agency (CISA) recommends asset owners and systems administrators take three additional, immediate steps regarding this vulnerability:
Enumerate any external-facing devices that have log4j installed.
Make sure that your security operations centre is actioning every single alert on the devices that fall into the category above.
Install a web application firewall (WAF) with rules that automatically update so that your SOC is able to concentrate on fewer alerts.
In the context of the ITRS product suite and CVE-2021044228, the post-incident analyses have confirmed that Geneos Netprobe, Geneos Gateway, Geneos Licence Daemon, OP5 Monitor Base, Capacity Planner, Cloud Cost Optimisation and Uptrends Checkpoint are not affected by the log4j vulnerability.
For the list of the affected components and remediation advisory, please follow the advice in the ITRS log4j support article.