log4j log4shell tips and guidelines for action

Structured information and tips for dealing with the log4j vulnerability (CVE-2021-44228)

The #Log4Shell vulnerability isn't just a RCE 0day. It's a vulnerability that causes hundreds and thousands of 0days in all kinds of software products. It's a 0day cluster bomb.

@cyb3rops (Florian Roth)

The log4j vulnerability is extremely critical, since the affected Java library is present in countless commercial products, free software and in-house developments. The extent of this vulnerability cannot yet be seriously assessed and will become apparent in the coming weeks.

 

Log4j Information Sources

We recommend using the - continuously updated - BSI whitepaper (in German only):

https://www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisationen/Informationen-und-Empfehlungen/Empfehlungen-nach-Angriffszielen/Webanwendungen/log4j/log4j_node.html 

There, current findings are compiled and helpful tools are linked, for example:

Good summaries and background are provided by the following sources:

Containment procedure

Basically, a structured approach and a targeted review of all potentially affected applications is very important. We definitely recommend the following measures:

Check if an application is affected

  • Check if any of your software vendors are already known or have responded, for example via log4shell/README.md at main · NCSC-NL/log4shell · GitHub
  • Check whether self-developed Java-based applications or niche products use a vulnerable version of log4j, for example with the help of the Simple local log4j vulnerability scanner. But keep in mind: mere vulnerability does not mean that the vulnerability has already been exploited.
  • Use EDR tools (e.g., Microsoft Defender for Endpoint) or vulnerability scanners to detect vulnerable applications.
  • To begin with, focus primarily on publicly accessible systems. However, please remember that some systems are also indirectly accessible from the outside, for example a ticket system via e-mail.

Implementation of emergency first aid measures

  • Review your firewall rules for outbound connections: only systems which absolutely require it should be allowed to make outbound connections. Ensure that connections are logged appropriately.
  • As a workaround, disable the vulnerable "lookup function" as described in the BSI whitepaper.
  • If no remedy is currently possible, consider temporary isolation or shutdown.

 

Check for possible compromise

  • Analyze your firewall logs for unusual outbound connections, especially LDAP.
  • Check outgoing DNS traffic for suspicious domains.
  • Analyze reverse proxy or application logs for possible log4shell attempts, for example with Log4shell Detector. But note: an alert does not directly mean that the application is vulnerable or compromised. It could also be a failed attempt.
  • Analyze vulnerable systems for anomalies in AntiVirus or EDR logs, or check systems for indicators of compromise, for example with the Thor incident response Scanner.

Good luck!