Apache Log4j(2) Vulnerability (CVE-2021-44228)

Vulnerability Detail -

On Dec. 9, security researchers published details regarding a vulnerability in Apache Log4j on all versions from 2.0-beta9 to 2.14.1 that can allow a remote, unauthenticated attacker to execute code on systems impacted by this vulnerability. This vulnerability received the highest possible Common Vulnerable Score System (CVSS) rating of 10 on a scale of 1 to 10. CVSS is an industry-standard for assessing the severity of computer system security vulnerabilities.

On Dec. 10, Apache released version 2.15.0 to address this vulnerability along with mitigation for versions >/= 2.10.

On Dec. 14, Apache released version 2.16.0 to further address this vulnerability.

Apache Log4j is a widely used, open-source Java library that is used to keep a record of activity within an application.

On Dec. 18, Apache released version 2.17.0 to address a DoS that affects Log4j v2.16

MicroBilt Response -

MicroBilt has assessed our internet-facing applications for the presence of this vulnerability, due to the deployed technology configuration of our internet-facing applications MicroBilt was not and is not vulnerable via any internet-facing application. Internally a small number of management and non-production systems were found to be potentially vulnerable. While awaiting vendor patches, MicroBilt has deployed mitigation strategies utilizing multiple layers of IPS/IDS firewalls and web application firewalls to block any potential exploitation of this vulnerability. Our security team continues to proactively monitor the MicroBilt environment for updated attack vectors related to this vulnerability and will update MicroBilt systems with the latest vulnerability signatures, exploitation detections, and other mitigants as new information is learned about this vulnerability. At this time, MicroBilt has not identified any MicroBilt systems that have been compromised due to this vulnerability.

In addition to the remediation described above, MicroBilt utilizes layered controls to protect against new vulnerability exploits. This includes firewalls in front of our internet-facing web applications, firewalls between each segment of internal networks which both mitigate application attacks such as those related to the Apache Log4j vulnerability, endpoint detection and response, which makes it more difficult to successfully leverage such a vulnerability, and robust monitoring of and response to anomalous actions on our systems that are likely to follow such a vulnerability exploit.

Customer / Vendor Response -

MicroBilt has sent out a vendor vulnerability assessment questionnaire to all partners and vendors, responses are being tracked in our vendor management system and we continue to work with vendors and partners to collectively guard and mitigate against this CVE

MicroBilt recommends that clients follow the guidance provided by Apache and the U.S. Government’s Department of Homeland Security (DHS) Cybersecurity & Infrastructure Security Agency (CISA) and upgrade to version 2.16.0 or as recommended by the Apache Foundation immediately – see links below.

For any internet-facing systems identified with this vulnerability, forensics of the systems are highly recommended to determine whether those systems have been compromised.

https://logging.apache.org/log4j/2.x/security.html