Mitigating an Exploit in the Log4j2 Logging Library – RCE Zero-day

CyberProof’s team was focused over the weekend on providing information and updates necessary to protect our clients from a new, critical remote code execution (RCE) zero-day exploit for Apache Log4j Java-based logging library, now tracked as CVE-2021-44228. The vulnerability allows hackers to conduct unauthenticated RCE and achieve a complete system takeover. Experts at CyberProof provided the following recommendations for organizations needing to mitigate the risk:

  • Upgrade every impacted Apache Log4j between versions 2.0 and 2.14.1 as a critical emerging vulnerability.
  • Upgrade Apache Log4j versions 1.x provided it doesn’t affect any other operations within the organization - as a high severity vulnerability, since it’s been end-of-life since 2015, and is vulnerable to other past unpatched vulnerabilities.
  • If updating to the latest version is not possible, organizations can also mitigate exploit attempts by setting the system property “log4j2.formatMsgNoLookups” to “true”; or by removing the JndiLookup class from the classpath.
  • Consider restricting outbound LDAP/S and RMI traffic (by application control of the firewall, not port numbers) and whitelist specific sources and destinations for legitimate use (if any).
  • Since this vulnerability is being widely exploited, we also recommend that you identify, detect, and be aware of massive scanning over the Internet for vulnerable components – mainly for deploying miners, but possibly bots and ransomware as well.

Want to learn more about handling this and other vulnerabilities? Be in touch today!