Log4J: from the standard to the cure

In December 202, log4j shocked “Log4 Hell”, after which it quickly spread rapidly in the Internet, it was astanding more than 40% of corporate networks around the world in a short period of time. The staff did not have a weekend instant. The vulnerability utilization cost is extremely low, and can be executed directly, and take over the target server, which potentially harmful, the influence is the most important.

Log4Shell attack is huge, some experts believe that this vulnerability is not up and down with the 2014 Shellshock series security vulnerability, the latter is used in the initial disclosure of botnets that are damaged by the damaged computer, launch distributed refusal service (DDOS) Attack and vulnerability scanning.

Log4j vulnerabilities are not uncommon, and thus should be continued to fully identify and repair issues. Here are some basic methods to share some basic methods.

The concerns of log4j are mainly due to the use of universal use of Java log libraries, as well as without authenticated attackers, so easy to use the vulnerability to implement remote code execution (RCE). We have a dealing with the configuration update, as if you have a log4j attack kit, but it is just a temporary buddha. At the same time, such a vulnerability has a variant, but the long-term solution to the internal upgrade of core infrastructure is still out of date.

Due to the subsequent Universal Vulnerability Disclosure (CVE), plus many teams in changing configuration, scanning asset investigations are too sloppy, log4j is fully controlled, still a month. Many organizations are either stay in the interview phase for a long time, trying to completely find where the system uses Java or Log4j, either in repair, because operations or system restrictions are bound to launch a complete patch.

Because the initial configuration changes are not sufficient, the vulnerability is changing, or the preparation of the implementation of the full fix is ??required. The best practices and important arguments mentioned below will help the security team in this regard.

Large-scale use of asset management

After the Log4j vulnerability occurs, the security team will find and give priority to the group of mass assets. People commonly hope that there is a quick and scalable way to find Java and Log4j instances. There are many detection tools, but many security organizations have forgotten a basic content: the latest software asset list.

Asset collection and processing is critical, the security team needs to answer the following questions: Which Linux servers are running log4j? Which virtual machines use java?

Powerful asset management can speed up the repair cycle. Whenever new log4j appears, new patches are required immediately. The team of asset management capabilities is more efficient to log4j’s response, and they can identify Java instances that are encompacted and monitor the impact of repair.

Best Defense: Accelerate Repair Cycle

Installing patch is the best way to respond to emerging threats, but attackers will quickly incorporate new CVEs into the attack kit. To mitigate attacks and protection systems, upgrade to the latest version is the most reliable approach. Over time, relying on manual configuration changes can cause a loophole because Log4J and other vulnerabilities are also evolved, and only one real / fake flag is not enough.

Check configuration

Strengthen asset management practice, to implement configuration checks. When the new CVE appears, the assets need to update and configure changes to ensure that it can be tracked from log4j. In this vulnerability management plan, the primary one is the monitoring channel for the security team to find unknown threats. Finding high priority threats requires a safe process arrangement, do not restrametal aperture message or bianced twice content, and establish a proactive process.

Solve legacy system issues

If organizations are still using legacy software that is not compatible with Java, then take action to promote leadership (and suppliers) to establish a powerful software asset list and cycle repair cycle. Handling technical liabilities (including unfixed legacy software) consume too much resource and bandwidth while need to increase monitoring and compensatory control. When log4j appears, the security team is more voice, and this is also a good time to plan the legacy system.

The intranet and air gap system cannot be ignored

People usually believe that the air gap system and internal equipment are safe, because if the attacker is not in contact, it will not be useful. But this hypothesis is extremely dangerous to log4j, because unauthenticated requests, even if other applications can still cause remote code execution (RCE) vulnerabilities. Treat the air gap system and the intranet asset should be the same as the Internet, ready to fully upgrade and expand the configuration tracking.

Safety automatic expansion and deployment

Identify assets that may use automated deployment or automatic extension schemes in the cloud environment. To make sure these configurations are secure, and any future deployment will not use the Over-time Java version or Log4J library. This needs to work with the development team to ensure that these security configurations are included in the future construction.