Tools Resources

CVE-2021-44228: The Log4Shell Vulnerability

author_profile
Becca Gomby
Thursday, Dec 16th, 2021

A critical, zero-day vulnerability known as “Log4Shell” was recently found in Apache Log4j, an open-source logging utility used by an enormous array of enterprise software, applications, and cloud services. It was first discovered in remote-code compromises against Minecraft servers (the popular Microsoft video game), but the impact of the vulnerability is widespread. The vulnerability affects any application that uses Apache Log4Shell, and many applications and services written in Java are likewise vulnerable to exploitation.

This newly discovered vulnerability is considered highly dangerous because it is easy to exploit. The remote code execution (RCE) can enable an attacker to remotely access and control devices.

The Implications and Impacts of CVE-2021-44228

CVE-2021-44228 otherwise known as Log4Shell – has caused quite a stir across the cybersecurity world. The security risk is particularly concerning as it has been actively exploited across systems, leading to its zero-day status. Hackers are actively targeting this vulnerability and a conclusive fix has not yet been applied to all at-risk systems. The vulnerability affects Log4j version 2.0-beta-9 to version 2.14.1.

Hackers are actively exploiting this vulnerability with the intent to extract information from services and as there is no one-size-fits-all remediation, these attacks are expected to continue.

Current Detection and Mitigation Efforts

The security community has moved swiftly to provide patches to remediate this vulnerability and protect services, applications, and cloud environments from significant exploitation. This includes open-source tools, signatures and grep commands to detect exploitation attempts. A PoCs to simulate the vulnerability was also developed.

Panoptica’s Efforts to Detect and Mitigate the Log4Shell Vulnerability

Since the outbreak of the Log4Shell vulnerability [CVE-2021-44228], the Panoptica team has been working to provide a complete detection solution for both the discovered CVE as well as attempts to exploit this discovered vulnerability. On the 13th of December, Panoptica pushed a new version that also detects both the exploitation and attempt at exploitation.

There are many vulnerable servers (compute instances) and Panoptica enables our customers to prioritize the remediation to critical assets first.

What are these "critical assets?"
We define these critical assets as those that can lead to full compromise of the environment because of the high privileges associated with them.

Ensuring Your Environment is Secure Moving Forward

At this point, with such a powerful vulnerability we can assume that an attacker has already exploited Log4Shell and has a command execution on the server.

The question is, what can the attacker do next?

If the server is isolated and has no permissions, this is one use case. But if the server has administrator privileges or permissions to read all the data stored in the S3 buckets, this is a CRITICAL vulnerability. Likewise, it has been observed that Log4Shell has already been used to steal AWS credentials.

image1
image 2

Online services and applications are dynamic and there are always hackers looking for vulnerabilities to exploit. Best practice is to ensure you partner with a cloud security vendor who takes a proactive security posture. You should look for the following aspects in your cloud security partner:

  • A holistic view of your cloud security environments and potential vulnerabilities – by looking through the lens of a multi-layer CNAPP solution, you can better ensure that every aspect and stage of your service is covered – from build to runtime.
  • Runtime protection is key – Ensuring your cloud security partner offers runtime detection and protection is essential, having the ability to detect when malware or nefarious actors have entered your system can help you decelerate their damages.
  • An agentless solution is not enough – Log4Shell is a great example that 100% agentless is not enough. Organizations require continuous evaluation of their workloads in order to ensure that their environments are secure on a persistent basis.
Popup Image