Advisory: Apache Log4j Vulnerability Log4j zero-day vulnerability AKA Log4Shell (CVE-2021-44228)

What is the Log4j vulnerability?

On December 9, a remote code execution (RCE) vulnerability was identified in Java logging library Apache Log4j, which is a ubiquitous software component used throughout the Internet and many applications. The vulnerability is particularly dangerous because it allows for an exploit to execute unauthorized code such as ransomware and other types of malware. It has received a score of 10 of 10 on the Common Vulnerability Scoring System (CVSS).

Security firms have observed multiple hosts scanning for servers utilizing Apache Log4j.

Log4j is utilized in most Java-based applications and servers, including almost all Apache enterprise products, including Apache Struts, Apache Flink, Apache Druid, Apache Flume, Apache Solr, Apache Flink, Apache Kafka, Apache Dubbo, and possibly many more.

The Log4j 2 library is very frequently used in enterprise Java software. Due to this deployment methodology, the impact is difficult to quantify. Like other high-profile vulnerabilities such as Heartbleed and Shellshock, we believe there will be an increasing number of vulnerable products discovered in the weeks to come. Due to the ease of exploitation and the breadth of applicability, we suspect ransomware actors to begin leveraging this vulnerability immediately.

Who is affected?

Netgain has identified a list of affected companies via GitHub. The list is a community-driven effort and will be updated as more companies are identified. It currently includes the following companies and products:

• Amazon                              
• Apache Druid                    
• Apache Solr                       
• Apache Struts2                 
• Apple                   
• Baidu                   
• Blender                              
• CloudFlare                         
• DIDI                      
• ElasticSearch                     
• ghidra                  
• ghidra server                    
• Google                 
• IBM Qradar SIEM                            
• JD                          
• LinkedIn                             
• Minecraft                           
• NetEase                              
• PaloAlto Panorama                        
• PulseSecure                      
• Steam                  
• Tencent                              
• Tesla                    
• Twitter                
• UniFi                    
• VMWare                            
• Webex                                             

Actions taken by Netgain

On Friday, upon learning of this vulnerability, Netgain began conducting an initial assessment of any potential risk to all our systems, including those used to provide services to our clients. The completed evaluation has shown no exposure to our internet-facing systems. We continue to evaluate and monitor our 3rd party software vendors for potential exposure to this vulnerability. So far, our 3rd party vendors have limited exposure to this vulnerability, and where relevant, we have followed the guidance provided by them to protect these systems.

Recommendations

Netgain recommends immediate updates to impacted servers with Apache Log4j to version 2.15.0 released by Apache on December 10, 2021. Netgain also recommends reviewing logs for impacted applications for any suspicious activity. If unusual activity is found, Netgain recommends treating it as an active incident and responding accordingly.

While Netgain is monitoring your environment, if you find a compromised system that is not managed by Netgain, we can help you investigate and monitor for signs of lateral movement and persistence. We will continue to monitor this dynamic situation and will provide updates as necessary.