Update January 10, 2022: This vulnerability is being actively exploited, risking Internet-facing endpoints. Medigate is tracking the responses of vendors, CISA, and CERT/CC. Our system is continuously updated with new information. In addition, Medigate monitors Log4j exploit attempts. 

 

Apache has released version 2.17.1 of the patch for Log4j after discovering issues with their previous release (2.17.0). 

 

Since the publication of CVE-2021-44228, 4 more vulnerabilities were published in Log4j versions: CVE-2021-45046, CVE-2021-4104, CVE-2021-45105, and CVE-2021-44832.

 

Brief Description of the Vulnerability: 

On December 9th, an exploited-in-the-wild Log4Shell vulnerability, tracked as CVE-2021-44228, was disclosed in Apache Log4j versions 2.0 to 2.14.1. Log4j threatens popular consumer and enterprise apps, cloud services, and websites that use the popular open-source logging library, Apache Log4j. This vulnerability is a Remote Code Execution (RCE) vulnerability with a critical CVSS score of 10 out of 10 from Apache

 

Successful exploitation of the vulnerability in Apache’s Log4j Java-based logging tool could allow unauthenticated attackers to execute arbitrary code and potentially take complete control of the system. According to researchers, given how ubiquitous this library is and how easy it is to exploit this vulnerability, the potential impact of the exploit is alarming.

 

NSA Director of Cybersecurity Rob Joyce said about this attack, “This is a case study in why the software bill of material (SBOM) concept is so important to understand exposure.” 

 

It’s still unclear how many applications and products use vulnerable versions of Log4j. In the absence of SBOM files, understanding the severity to the healthcare sector is particularly difficult. Medical Device Manufacturers are expected to report which devices are vulnerable in the coming days, and Medigate will be tracking this news closely.

 

For a complete list of Security Advisories linked to Log4Shell, please refer to one of the following: CISA, CERT/CC, or GitHub.

 

Affected Devices

Devices using Apache Log4j2 in all versions from 2.0-beta9 to 2.14.1. This is a commonly used Apache platform with a large impact radius.

Vendors like Cisco, VMWare, and Adobe have already published their affected products while others are still assessing. In terms of medical devices, medical application servers are at risk, with a few Philips models already confirmed to be vulnerable. See the table below for more info:

VendorStatus
PhilipsSeveral products identified as vulnerable, still assessing
GESeveral products identified as vulnerable, still assessing
SpaceLabsNot Affected
CarestreamNot Affected
Siemens HealthineersSeveral products identified as vulnerable, still assessing
VyaireNot Affected
BDNot Affected
CanonNot Affected, still assessing
BaxterNot Affected
Boston ScientificVulnerable Products
B. BraunNot Affected
Beckman CoulterSeveral products identified as vulnerable
ResMedNot Affected
AbbottNot Affected, still assessing
CepheidAssessing
DraegerNot Affected
HologicPotentially Vulnerable Products
MedtronicAssessing
LeicaNot Affected, still assessing
ElektaAssessing
VarianSeveral products identified as vulnerable, still assessing
Edwards LifesciencesNot Affected
SterisNot Affected
ProvationNot Affected
OlympusNot Affected
Vital ImagesSeveral products identified as vulnerable
CapsuleNot Affected
NatusAssessing
Nihon KohdenNot Affected
CadwellNot Affected
SysmexNot Affected
StrykerNot Affected
Hill-RomNot Affected

Medigate’s Affected Systems

Medigate products are not affected  by this vulnerability as all Medigate environments (collection & analysis servers) are already patched  for this CVE. We have also notified our customers of malicious communications.

 

Status

We are reporting this vulnerability in the Threat Intel Feed, and you can find it on the Vulnerabilities page of the Medigate dashboard. 

 

Are we able or will be able to detect this vulnerability? 

– When applicable, Medigate will detect log4j2 vulnerable versions. More details will be available as Device Manufacturers disclose their affected devices and versions. When detection cannot be made, Medigate will alert devices running the relevant Java versions as “Potentially Relevant.”

In addition, Medigate monitors Log4j exploit attempts and will notify the customers in case any relevant attempt is detected.

 

Remediation Steps:  

Identify all affected devices in your network: Map all devices running the vulnerable versions in log4j2.

Focus on Internet-facing endpoints that are at a higher risk than other vulnerable devices.

– The most effective protection will be to upgrade to log4j-2.17.1 as soon as feasible.

– If updating the library is not possible, you can apply the following workarounds recommended by Apache:

       – Log4j from 2.0-beta9 to 2.10.0:

             – Remove the JndiLookup class from the classpath: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class

      –  Log4J versions from 2.10 to 2.14.1:

             – Set the log4j2.formatMsgNoLookups system property, or set the LOG4J_FORMAT_MSG_NO_LOOKUPS environment variable to true.

Use Vulnerability Scanners

             – A key tool that can be used is your vulnerability management solution. 

             – Using Medigate Clinical Cyber Hygiene, you can create a targeted scan of all potentially vulnerable devices and scan those at once

             – This will enable you to map all vulnerable devices based on a combination of passive and active information.

 

– Monitor network traffic and device behavior: Use Medigate’s communication alerts to determine whether the devices in your environment communicate with malicious IPs associated with Log4j attacks. For a full list of IoC associated with Log4j attacks, see this link.

 

 

As always, reach out to the Medigate team for further information or assistance in remediation. 

 

To learn more about the Medigate Research Labs and our Threat Intel Feed, visit medigate.io/threat.