Apache Log4j Mitigation

Summary

Attackers are exploiting a vulnerability in the Log4j logging platform on systems running Apache software that is written in Java and utilizes the log4j library. Critical systems will be impacted.

What is Impacted?

All Log4j versions >= 2.0-beta9 and <= 2.14.1, but remember, it may be embedded in vendor or locally developed software.

Actions Needed

  • Update Log4j to version 2.15.x, 2.16.x or higher on systems using Apache, to mitigate exploits as soon as possible after appropriate testing.
    • Upgrade (to 2.1.16, if you have direct access to Apache, and 2.1.15, if 2.1.16 is not available yet).
    • Upgrade your vendor supplied or locally developed software as patches & updates become available.
    • Where updates are not available, see if it is possible to remove the JndiLookup class from the classpath.
  • Check (for every vendor that provides you with a web interface, including printers, and cloud services) to see if the log4j vulnerability is present in the vendor’s product, and if a patch or update is available.
  • Monitor for unusually high CPU utilization as well as unexpected processes, system changes, services, network connections, and new users/groups. It is not known when the criminals discovered this exploit,
  • Run full scans of an anti-malware application (SentinelOne, ClamAV, Bitdefender) on vulnerable systems before and after updates are reasonable precautions.
  • Mitigate the vulnerability. If you are using Cloudflare Web Application Firewall, use the new controls to help mitigate any exploit attempts.
  • Review web service, web application, web application firewall, and anti-malware logs for anomalies in the last 30 days on systems determined to be vulnerable
  • Testsoftware functionality, including backup or snapshot, and other systems that depend to ensure they still work.
    • When systems and services are fully restored and operational, run an anti-malware check to see malware has been planted on the system prior to update.
  • Notify the ISO of
    • Systems, software, or services that are not vulnerable that you have checked
    • Systems, software, or services that you have upgraded / and that were vulnerable
    • Systems, software, or services which are vulnerable, but have no update/upgrade yet available. Also include any supplied information of when an update/upgrade is anticipated.
    • The ISO has scanned campus. If you would like the ISO to perform a scan, please contact us.
  • Expect communication from the RIT Information Security Office, as scanning and vulnerability detection capabilities improve, and risk is managed.

NOTE: If you have an exception on a system running Apache, services may become available.

Patching

The ISO recommends patching as soon as the patch becomes available, taking only the time to take a snapshot or backup prior to patching.  And even with taking a snapshot or backup, if that can be done with Apache or the embedded components disabled, that is the preferred method.

All RIT system owners are expected to keep systems up to date with the latest patches and updates.  In the standards, the language makes some allowance for professional judgment, maintenance windows, and other things that might delay implementation, but we expect you to use your professional judgment to weigh the risks of delaying implementation against the risks of exploitation, and the resulting impact to services of the cleanup efforts.

The Problem

Log4j is a Java-based logging library maintained by the Apache Software Foundation. According to the Cloudflare Blog, “In the affected Log4j versions, Java Naming and Directory Interface (JNDI) features used in configuration, log messages, and parameters can be exploited by an attacker to perform remote code execution. Specifically, an attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.”

The use of this exploit was discovered through it being exploited on Minecraft. You will see references that the exploit is in the wild, but that doesn’t convey the gravity of the situation. It is not safe to assume that the gamers in Minecraft discovered it. A safer assumption is to look at all your systems that have updates as if they have already been compromised.

It is reported that one of the ways that criminals are monetizing the ability to run arbitrary code is through cryptocurrency mining, but distributing ransomware, infostealers, or botnets would also be valuable. Common applications that handle direct authentication (not brokered by Shibboleth or multi-factor authentication methods), would also be targets for account stealing.

Background

This may be the most damaging exploit the Internet has seen. It has affected all Apache (web server) installations, as well as software that embeds the log4j logging platform. Log4j is a flexible open source utility that because of its availability, capabilities and reliability. Cloud services as large as iCloud have been affected, and though now updated, this is a zero-day exploit with remote code execution capabilities. Translated, that means that the criminals discovered it before the developers and vendors did, and for some unknown amount of time, they could place and execute any software on systems that were affected. It is the commonality of the log4j utility that makes this so significant. It has been in use by Equifax, and 65% of fortune 100 companies on their web front ends. In addition to some cloud services and some commercial public websites, the utility may be present in some of the smallest single-purpose Internet of Things products. Raspberry Pi single-board computers, often used in signage and control applications, may also have Apache loaded on them.

Special Note on Bring Your Own Device Systems

Recreational software such as Java Minecraft is affected. Steam is also reported as having been affected.  Users (or their children) are the systems administrators for these systems.