Update January 10, 2022: This vulnerability is being actively exploited, risking Internet-facing endpoints. Medigate is tracking the responses of vendors, CISA, and CERT/CC. Our system is continuously updated with new information. In addition, Medigate monitors Log4j exploit attempts.
Apache has released version 2.17.1 of the patch for Log4j after discovering issues with their previous release (2.17.0).
Since the publication of CVE-2021-44228, 4 more vulnerabilities were published in Log4j versions: CVE-2021-45046, CVE-2021-4104, CVE-2021-45105, and CVE-2021-44832.
Brief Description of the Vulnerability:
On December 9th, an exploited-in-the-wild Log4Shell vulnerability, tracked as CVE-2021-44228, was disclosed in Apache Log4j versions 2.0 to 2.14.1. Log4j threatens popular consumer and enterprise apps, cloud services, and websites that use the popular open-source logging library, Apache Log4j. This vulnerability is a Remote Code Execution (RCE) vulnerability with a critical CVSS score of 10 out of 10 from Apache.
Successful exploitation of the vulnerability in Apache’s Log4j Java-based logging tool could allow unauthenticated attackers to execute arbitrary code and potentially take complete control of the system. According to researchers, given how ubiquitous this library is and how easy it is to exploit this vulnerability, the potential impact of the exploit is alarming.
NSA Director of Cybersecurity Rob Joyce said about this attack, “This is a case study in why the software bill of material (SBOM) concept is so important to understand exposure.”
It’s still unclear how many applications and products use vulnerable versions of Log4j. In the absence of SBOM files, understanding the severity to the healthcare sector is particularly difficult. Medical Device Manufacturers are expected to report which devices are vulnerable in the coming days, and Medigate will be tracking this news closely.
Devices using Apache Log4j2 in all versions from 2.0-beta9 to 2.14.1. This is a commonly used Apache platform with a large impact radius.
Vendors like Cisco, VMWare, and Adobe have already published their affected products while others are still assessing. In terms of medical devices, medical application servers are at risk, with a few Philips models already confirmed to be vulnerable. See the table below for more info:
Medigate’s Affected Systems
Medigate products are not affected by this vulnerability as all Medigate environments (collection & analysis servers) are already patched for this CVE. We have also notified our customers of malicious communications.
We are reporting this vulnerability in the Threat Intel Feed, and you can find it on the Vulnerabilities page of the Medigate dashboard.
Are we able or will be able to detect this vulnerability?
– When applicable, Medigate will detect log4j2 vulnerable versions. More details will be available as Device Manufacturers disclose their affected devices and versions. When detection cannot be made, Medigate will alert devices running the relevant Java versions as “Potentially Relevant.”
– In addition, Medigate monitors Log4j exploit attempts and will notify the customers in case any relevant attempt is detected.
– Identify all affected devices in your network: Map all devices running the vulnerable versions in log4j2.
– Focus on Internet-facing endpoints that are at a higher risk than other vulnerable devices.
– The most effective protection will be to upgrade to log4j-2.17.1 as soon as feasible.
– If updating the library is not possible, you can apply the following workarounds recommended by Apache:
– Log4j from 2.0-beta9 to 2.10.0:
– Remove the JndiLookup class from the classpath: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
– Log4J versions from 2.10 to 2.14.1:
– Set the log4j2.formatMsgNoLookups system property, or set the LOG4J_FORMAT_MSG_NO_LOOKUPS environment variable to true.
– Use Vulnerability Scanners
– A key tool that can be used is your vulnerability management solution.
– Using Medigate Clinical Cyber Hygiene, you can create a targeted scan of all potentially vulnerable devices and scan those at once
– This will enable you to map all vulnerable devices based on a combination of passive and active information.
– Monitor network traffic and device behavior: Use Medigate’s communication alerts to determine whether the devices in your environment communicate with malicious IPs associated with Log4j attacks. For a full list of IoC associated with Log4j attacks, see this link.
As always, reach out to the Medigate team for further information or assistance in remediation.
To learn more about the Medigate Research Labs and our Threat Intel Feed, visit medigate.io/threat.