See Also - Exploits Swirling for Major Security Defect in Apache Log4j
This Tech Tip outlines how enterprise defenders can mitigate the risks of the Log4j vulnerabilities for the short-term while waiting for updates.
December 11, 2021 By Fahmida Y. Rashid
Researchers are warning that attackers are actively exploiting the newly publicized unauthenticated remote code execution vulnerability in Log4j, the Java-based logging tool from Apache. While the bulk of the work to mitigate CVE-2021-44228 falls on application owners and software developers, enterprise security teams also have to do their part to keep their organizations secure.
This Tech Tip provides short-term mitigations for affected enterprise security teams who don’t yet have updates available, can’t install the updates right away for whatever reason, or won’t be receiving updates at all.
Consider the following scenario: a vendor has a financial application that uses Java and the vulnerable version of Log4j. Any organization that uses the client application to access that Java application is also vulnerable to remote code execution since the client is also likely using Log4j. In this scenario, the organization is in a tougher position because it has to wait for the vendor to update both the main application and the client. That could be never for a legacy application.
“Any java application using the affected log4j versions and accessible over the network can be exploited, and many of those applications are likely third-party and out of the user's hands administratively,” says Karl Sigler, Senior Security Research Manager, Trustwave SpiderLabs.