A serious remote code vulnerability has emerged in Log4j, a Java Logging package used in a number of software products and platforms from organizations such as Apache, Apple, Twitter, Tesla, and Steam. This vulnerability affects almost every Java application that writes records using this library. Apache has released a patch for this vulnerability, which is tracked as CVE-2021-44228. Barracuda MSP has implemented custom rules for detecting this exploit in SKOUT Managed XDR Log and Network Security Monitoring solutions, and recommends applying this patch immediately to protect your organization.
What is the threat?
CVE-2021-44228: This is a remote code execution vulnerability. If exploited, the attacker could potentially use this to execute remote commands, which would enable them to run anything they wanted on a vulnerable machine. This could lead to a data leak, or even an entire system hack, which could result in a denial of service.
With proof of concept available for this vulnerability, the Barracuda MSP team and other security professionals expect to see an increasing number of attacks and attempts to exploit vulnerable users.
Why is it noteworthy?
As mentioned earlier, this vulnerability affects any application that uses Log4j for logging. This includes software from Apache, Apple, Twitter, Tesla, Steam, ElasticSearch, Redis, and many video games (such as Minecraft). This gives cybercriminals an incredibly wide range of potential targets. The implications of the exploit are so great that it is considered a “shell shock” vulnerability.
Attackers are always looking for these types of exploits that are widely exploitable. The RCE exploit is one of the biggest RCE exploits that have come out recently. It is very important to keep the Services up to date and to apply patches as they are released to prevent threat actors from accessing and damaging your systems.
What is the exposure or risk?
This exploit could allow an attacker to remotely execute code on an affected device. Remote code execution can lead to many potential compromises, such as data leaks, denial of service attacks, and even complete system compromises. Since the vulnerable library is used in many different applications, attackers are not necessarily looking for a specific target. It only takes one line of text to start this attack, so attackers spray this everywhere they can in hopes of finding vulnerable applications. If a device is compromised, attackers can gain access to sensitive information by executing arbitrary system commands and even creating or deleting files. Log4j is used to log into many different applications, many of which are used and trusted by businesses and individuals all over the world. It is expected that any data stored in these applications will remain private, and that these applications will be available for the conduct of day-to-day business. This vulnerability can put this outlook at risk if it is exploited by attackers, so it is very important to make sure that all patches are applied.
What are the recommendations?
Barracuda MSP has implemented custom rules for detecting this exploit in SKOUT Managed XDR Log and Network Security Monitoring solutions and recommends applying this patch immediately to protect your organization. Please refer to the full list of affected versions of the Log4j library below.
- All versions of Log4j 2.x before 2.15.0 (released today, Friday, December 10, 2021) are affected:
JVM versions less than:
- Java 6 – 6u212
- Java 7 – 7u202
- Java 8 – 8u192
- Java 11 – 11.0.2
If your organization is using Apache log4j, they should upgrade to log4j-2.1.50.rc2 immediately.
Additionally, it is up to specific vendors to apply this patch to their apps, so stay tuned for any app updates. This resource tracks components/applications at risk: https://github.com/YfryTchsGD/Log4jAttackSurface
Third-party patch management should be a part of your service offerings to reduce vulnerabilities in your customers’ environment. (Barracuda MSP partners can automate this critical security process using Barracuda Advanced Software Management and Barracuda RMM to simplify all patch management requirements.)
For more in-depth information on the recommendations, please visit the following links:
This post was based on a threat alert issued by our Barracuda Managed XDR team. For more information on the best way to set up your MSP business to protect customers from cyberthreats, visit the Barracuda Managed XDR page.