Shakya Udemy

Update Log4j to secure version

The primary remediation is to update Log4j to a patched version. The Apache Software Foundation released several updates to mitigate the vulnerability.

  • Vulnerable versions: Log4j 2.x versions from 2.0 to 2.14.1.
  • Patched versions:
    • Log4j 2.15.0 (released immediately after the vulnerability was discovered) mitigated the issue but still had a few potential problems, so further fixes were needed.
    • Log4j 2.16.0 removed the vulnerable feature entirely.
    • Log4j 2.17.0 (released to fix more issues) was the next stable and secure version.
    • The latest stable release, as of the last reports, is Log4j 2.17.1.
    Action: Upgrade all instances of Log4j to 2.17.1 or later.

How to Upgrade:

  • In Maven (for Java applications that use Maven for dependency management), update the Log4j dependency to the latest version: xmlCopy<dependency> <groupId>org.apache.logging.log4j</groupId> <artifactId>log4j-core</artifactId> <version>2.17.1</version> </dependency>
  • For other build tools, such as Gradle, update the corresponding dependency version.

2. Apply Immediate Workarounds (if updating is not immediately possible)

If updating Log4j isn’t immediately feasible in your environment, temporary workarounds could mitigate the impact.

  • Set the system property to disable the vulnerable feature:
    In Java 8u121 and later, the option log4j2.formatMsgNoLookups can be set to true to prevent the use of message lookups (the part of Log4j that was vulnerable to remote code execution). Add this JVM option to your environment: bashCopy-Dlog4j2.formatMsgNoLookups=true
  • Remove the JndiLookup class: As another workaround, you could remove the JndiLookup class from the Log4j library:
    • Navigate to the directory where log4j-core-*.jar is located.
    • Delete org/apache/logging/log4j/core/lookup/JndiLookup.class from the log4j-core JAR file.
    This can be done using a command like: bashCopyzip -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class However, it’s important to note that these are temporary solutions, and updating Log4j should remain the priority.

3. Scan Your Environment for Vulnerabilities

Use vulnerability scanners and other tools to identify where vulnerable versions of Log4j are in use across your systems and applications.

  • CISA (Cybersecurity and Infrastructure Security Agency), along with other cybersecurity vendors, released tools to scan for the vulnerability:
    • Log4Shell scanner tools: CISA provided a set of scripts to scan systems for vulnerable versions of Log4j.
    • Automated scanners: Many security companies such as Qualys, Tenable, and Rapid7 released automated scanners to help identify Log4j vulnerabilities.

Steps:

  • Run the scanner to identify where vulnerable Log4j versions are running.
  • Perform manual checks (if scanning tools are not available) by looking through your logs, dependency management tools, or codebase for references to Log4j.

4. Audit and Monitor Systems for Exploitation

After patching or applying workarounds, it’s crucial to monitor systems for signs of exploitation.

  • Enable logging and monitoring: Review server logs for unusual activity, such as unexpected payloads or remote connections that could indicate an exploitation attempt.
  • Intrusion Detection Systems (IDS): Update IDS signatures to detect exploit attempts targeting the Log4j vulnerability.
  • Incident Response Plan: If exploitation has already occurred, begin the incident response process. Isolate affected systems, analyze logs for evidence of attacks, and assess the impact.

5. Patch and Update Dependencies

Beyond Log4j, you should ensure that any third-party libraries and software that rely on Log4j are also updated to secure versions.

  • Update Java-based applications: Ensure that any Java frameworks or libraries that depend on Log4j are updated as well.
  • Update containerized applications: If you are using Docker or Kubernetes, ensure that any containers that rely on vulnerable Log4j versions are updated.

6. Implement Additional Defensive Measures

Along with patching the vulnerability, consider implementing other security measures:

  • Limit JNDI lookups: Configure your environment to limit or disable JNDI lookups (a feature of Java used by Log4j that is directly responsible for the vulnerability). This can be done by setting appropriate Java security settings or ensuring that untrusted network protocols are disabled.
  • Network segmentation: Limit internal communication between systems to prevent an attacker from moving laterally within a network if they exploit Log4j.

7. Stay Informed

Because of the critical nature of this vulnerability, it’s essential to stay informed on any new updates or emergency patches released by the Apache Software Foundation.

  • Monitor CVE-2021-44228 for further security fixes.
  • Keep an eye on security bulletins and advisories from vendors, especially if you’re using third-party software that could be impacted.

Conclusion

To remediate the Log4j vulnerability (CVE-2021-44228):

  • Upgrade to Log4j 2.17.1 or the latest patched version.
  • Apply temporary workarounds if an immediate update isn’t possible.
  • Scan your environment for vulnerable instances.
  • Audit and monitor for signs of exploitation.
  • Stay informed and continuously update dependencies.

By following these steps, you can mitigate the risks associated with the Log4j vulnerability and enhance your organization’s security posture.

Leave a comment

From the blog

About the author

Simon Shakya is an Information Technology graduate with a passion for exploring the dynamic fields of software engineering, cloud infrastructure (AWS), and cybersecurity. With a strong foundation in building and automating software tools, deploying cloud-based solutions, and utilizing data analytics, Simon is dedicated to enhancing system reliability and driving innovation in the tech world. When not coding or optimizing cloud environments, you can find Simon experimenting with the latest technologies or exploring new ways to push the boundaries of what’s possible in the digital landscape.