Cyber Security

log4j log4shell tips and guidelines for action

Structured information and tips for dealing with the log4j vulnerability (CVE-2021-44228)

Michael Hochenrieder · 01.07.2021
Bild mit verschiedenen Screens, als Darstellung für Monitoring

The #Log4Shell vulnerability isn't just a RCE 0day. It's a vulnerability that causes hundreds and thousands of 0days in all kinds of software products. It's a 0day cluster bomb.

 

The #Log4Shell vulnerability isn't just a RCE 0day. It's a vulnerability that causes hundreds and thousands of 0days in all kinds of software products. It's a 0day cluster bomb.

 

Log4j Informationsquellen

We recommend using the - continuously updated - BSI whitepaper (in German only):

https://www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisationen/Informationen-und-Empfehlungen/Empfehlungen-nach-Angriffszielen/Webanwendungen/log4j/log4j_node.html

There, current findings are compiled and helpful tools are linked, for example:

 

Good summaries and background are provided by the following sources:


Containment procedure

Basically, a structured approach and a targeted review of all potentially affected applications is very important. We definitely recommend the following measures:

Check if an application is affected

  • Check if any of your software vendors are already known or have responded, for example via  log4shell/README.md at main · NCSC-NL/log4shell · GitHub
  • Check whether self-developed Java-based applications or niche products use a vulnerable version of log4j, for example with the help of the Simple local log4j vulnerability scanner. But keep in mind: mere vulnerability does not mean that the vulnerability has already been exploited.
  • Use EDR tools (e.g., Microsoft Defender for Endpoint) or vulnerability scanners to detect vulnerable applications.

  • To begin with, focus primarily on publicly accessible systems. However, please remember that some systems are also indirectly accessible from the outside, for example a ticket system via e-mail.

     

Check if log4j is uti... Isolate system Yes No Check if mitigation i... Implement workaround End Workaround Patch No Is a vendors advisory... Yes Check for proof of ex... No Yes Is it self developed... Apply patch Yes Check if it is vulner... Fix vulnerabilities Patch Implement workaround Yes Check for compromise Incident Response Perform general mitig... Reactive Proacti... Yes No © HvS-Consulting AG Viewer does not support full SVG 1.1

 

Implementation of emergency first aid measures

  • Review your firewall rules for outbound connections: only systems which absolutely require it should be allowed to make outbound connections. Ensure that connections are logged appropriately.
  • As a workaround, disable the vulnerable "lookup function" as described in the BSI whitepaper.
  • If no remedy is currently possible, consider temporary isolation or shutdown.
     

Check for possible compromise

  • Analyze your firewall logs for unusual outbound connections, especially LDAP.
  • Check outgoing DNS traffic for suspicious domains.
  • Analyze reverse proxy or application logs for possible log4shell attempts, for example with Log4shell Detector. But note: an alert does not directly mean that the application is vulnerable or compromised. It could also be a failed attempt.
  • Analyze vulnerable systems for anomalies in AntiVirus or EDR logs, or check systems for indicators of compromise, for example with the Thor incident response Scanner.

Good luck!