Canada and its Five Eyes intelligence partners have issued a joint alert on the Log4Shell and related critical vulnerabilities to make sure infosec pros understand the seriousness of the issue.
“Treat known and suspected vulnerable assets as compromised,” says the alert. “These assets should be isolated until they are mitigated and verified.”
Issued by the Canada Centre for Cyber Security, the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the FBI, the U.S. National Security Agency, the Australian Cyber Security Centre, the Computer Emergency Response Team New Zealand, the New Zealand National Cyber Security Centre, and the United Kingdom’s National Cyber Security Centre, the document provides comprehensive mitigation guidance on addressing vulnerabilities in Apache’s Log4j software library.
That includes
–CVE-2021-44228 (known as “Log4Shell”) Disclosed on December 10, it’s is a remote code execution (RCE) vulnerability affecting Apache’s Log4j library, versions 2.0-beta9 to 2.14.1. Apache released log4j version 2.15 to fight this;
–CVE-2021-45046, disclosed on December 13, which enables a remote attacker to cause a denial-of-service (DoS) condition or other effects in certain non-default configurations. Apache released Log4j version 2.16.0 (Java 8) to fight this;
–and CVE-2021-45105, disclosed on December 16, which enables a remote attacker to cause a DoS condition or other effects in certain non-default configurations. Apache released Log4j version 2.17.0 (Java 8) in response.
“Sophisticated cyber threat actors are actively scanning networks to potentially exploit Log4Shell, CVE-2021-45046, and CVE-2021-45105 in vulnerable systems,” says the alert. According to public reporting, Log4Shell and CVE-2021-45046 are being actively exploited.
Application developers with environments using Java 8 or later should upgrade to Log4j version 2.17 or newer, says the alert. Those using Java 7 should upgrade to Log4j version 2.12.3 (released December 21, 2021). However, the alert also notes that Java 7 is currently end of life, so advises organizations to upgrade to Java 8. They should also inform their end users of products that contain these vulnerabilities and strongly urge them to prioritize software updates, the alert says.
IT departments should inventory all assets — including cloud assets, regardless of function, operating system, or make — that use the Log4j Java library. That inventory should include the following attributes of each asset:
-
- Software versions
- Timestamps of when last updated and by whom
- User accounts on the asset with their privilege level
- Location of asset in the enterprise topology.
Use the CISA’s GitHub repository and CERT/CC’s CVE-2021-44228_scanner to identify assets vulnerable to Log4Shell.