By: Armando D’Onorio (CISSP, GSLC, GCCC), Ferrilli’s Chief Information Security Officer & Senior Consultant
We’re alerting our higher education technology community that on December 9, a remote code execution vulnerability, dubbed CVE-2021-44228, was disclosed in Apache’s Log4j.
Apache Log4j is an open-source logging utility used by almost all major Java-based applications and currently running on 3 billion devices worldwide.
Log4j has been exposed to a very high-risk vulnerability under active and vigorous exploitation. The exploitation of this vulnerability is simple and only requires the attacker to enter a piece of code into the target triggering the vulnerability, allowing the attacker to remotely control the user victim’s server.
How Do I Tell If I’m at Risk?
Chances are, you have a system(s) at risk. While advanced features of many popular Next Generation Firewalls (NGFWs) or Web Application Firewalls (WAFs) may offer some protection, you still need to patch quickly. We recommend two immediate steps to figure out your level of exposure.
- Reach out to your vendor support representatives to find out if the products you use are vulnerable. Here are some helpful links that can help you figure out if your software/hardware/services are vulnerable:
- Perform vulnerability scans
Many of the popular vulnerability scanning platforms such as Nessus, Rapid7, or TripWire already have scanning templates ready to detect the CVE-2021-44228 vulnerability. Work with your IT Department or Security Services partner to schedule a scan soon.
What Is Affected?
Higher education institutions have many products that use Java and the Log4j 2 library. This library is often used in many products including:
- Some Ellucian Software (Ellucian Colleague, Ethos Identity, Some Ellucian Banner components)
- VMware vCenter
- Apache frameworks: Struts2, Solr, Druid, Flink, Swift
Any web server using log4j should be scanned and updated at once. Apache Log4j2 on versions 2.14.1 or lower have Java Naming and Directory Interface™ (JNDI) features used in configuration, log messages, and parameters that do not protect against attacker-controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.
How Do I Fix This?
- The best way to address this vulnerability is to update to the latest version of Apache Log4j.
- Version 2.15.0 was the latest at the time of publication.
- If you are unable to update to the latest version Apache recommends the following:
- “In releases >=2.10, this behavior can be mitigated by setting either the system property log4j2.formatMsgNoLookups or the environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS to true.
- For releases from 2.0-beta9 to 2.10.0, the mitigation is to remove the JndiLookup class from the classpath: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class.”
CISA encourages users and administrators to review the official Apache release above and upgrade to Log4j 2.15.0 or apply the recommended mitigations at once.
We are actively deploying security workarounds for these products for our clients and are happy to help your institution as well. Please contact Ferrilli as soon as possible to set up a consultation.
Receive 100 Hours of Complimentary Security Services!
We’re excited to announce that Ferrilli has joined Pledge 1% as a proud corporate partner.
This is big news for higher education! As part of our Pledge 1% commitment, we are donating 100 hours of security services to institutions that have fallen victim to a cyber attack.
Please click here to learn more.