Apache Log4j zero-day remote code execution vulnerability CVE-2021-44228

Live phishing simulation; vulnerability CVE-2021-44228

What you need to know:
A major security flaw has been discovered in a piece of software called Log4j, which is used by millions of web servers. The bug leaves them vulnerable to attack, and teams around the world are scrambling to patch affected systems before hackers can exploit them. 

The Apache Software Foundation has released a security advisory to address a remote code execution vulnerability (CVE-2021-44228) affecting Log4j versions 2.0-beta9 to 2.14.1. A remote attacker could exploit this vulnerability to take control of an affected system. Log4j is an open-source, Java-based logging utility widely used by enterprise applications and cloud services. 

CISA encourages users and administrators to review the Apache Log4j 2.15.0 Announcement and upgrade to Log4j 2.15.0 or apply the recommended mitigations immediately. 

What’s affected:
Multiple vendor products affected. Please refer to the details for a list of affected products per vendor.

Actions to be taken:
What makes CVE-2021-44228 especially dangerous is the ease of exploitation; even an inexperienced hacker can successfully execute an attack using this vulnerability. According to the researchers, attackers only need to force the application to write just one string to the log, and after that they are able to upload their own code into the application due to the message lookup substitution function. 

For managed customers:
1) We can help apply vendor patch if it is available.  

2) We can check if customers have the updated IPS rules to block the exploit attempts (provided they have products that have IPS feature licensed and active).

3) We can run a threat-hunting query to see active exploit attempts.

For non-managed customers:
We’ve compiled links for vendor communications related to this vulnerability. We can also raise a case with vendors to confirm whether specific products customers are using are affected. 

Here are the official advisories per vendor: 

Forcepoint:
https://support.forcepoint.com/s/article/Apache-log4j-Zero-Day-RCE-Vulnerability-CVE-2021-44228 

Microsoft:
https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2/

Trend Micro:
https://success.trendmicro.com/solution/000289940 

Check Point:
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk176865 

https://blog.checkpoint.com/2021/12/11/protecting-against-cve-2021-44228-apache-log4j2-versions-2-14-1/ 

https://supportcenter.us.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk176884 

Sophos:
https://www.sophos.com/en-us/security-advisories/sophos-sa-20211210-log4j-rce 

Sources:
https://www.cisa.gov/uscert/ncas/current-activity/2021/12/10/apache-releases-log4j-version-2150-address-critical-rce

Further reading:
https://www.ncsc.gov.uk/news/apache-log4j-vulnerability