4 Step Mitigation For Log4j Attacks
4 Step Mitigation For Log4j Attacks
4 Step Mitigation For Log4j Attacks
However, it is challenging to check your environment for a vulnerable Log4j version because
of the following reasons:
● It is a library widely used in many software and applications. Some products utilize the
Log4j library externally, but some standalone Java applications use it embedded in
their executables. It is tough to detect a Log4j library embedded in a standalone
executable.
● The Java Runtime Environment (JRE) may also be embedded in this standalone
application. In other words, the absence of a JRE installation on a system does not
mean that Log4j cannot be exploited on this system.
● Although externally used Log4j libraries are easier to detect than embedded ones,
there is another difficulty. Since it is open-source software, anyone may modify and
compile it. So, the effectiveness of hash lists is limited.
Briefly, it is very challenging to discover 100% of vulnerable assets. As with the ShellShock
vulnerability, you may encounter applications with the Log4j vulnerability after months.
Moreover, many public exploits are available, and research for different methods to exploit
the vulnerability is still underway. Incident response and threat hunting are also challenging
since the JNDI string is not actually logged if the exploitation is successful.
1
What are the Immediate Mitigation Measures?
While mid and long term operations continue to discover vulnerable assets, respond to
potential incidents, and hunt for retroactive threats, you must take the following immediate
measures to limit the attack surface:
2
3- Utilize Your Network Security Controls
Remote code execution (RCE) attempts to exploit the Log4j vulnerability can be blocked by
web application firewalls (WAF) and intrusion prevention systems (IPS) by inspecting ingress
network traffic. For egress JNDI traffic from the vulnerable system to the attacker’s system,
firewall rules should be set in place to block attacks.
4- Keep Your Assets Up-to-date but Continue to Simulate Attacks and Harden
Your Perimeter Security
Apache released a patch for CVE-2021-44228. However, it was incomplete, and
CVE-2021-45046 was discovered, and a new patch was released. There might be more
patches on the way, and it is crucial to follow vendor updates. In addition, you should run
attack simulations, identify the gaps in your security controls and fix these gaps as a
continuous effort.
BOOK A DEMO