HOW DEVICE42 CAN HELP
- Device42’s discovery capability can help you identify systems vulnerable to the Log4j RCE
- the Log4j vulnerability is critical and impacts many applications and systems
- Device42’s software is not impacted by the Log4j vulnerability
CertNZ revealed on Friday, December 10th that a popular Java logging library, Log4j, has a critical remote code vulnerability. This is a rare 10 CVSS score with observed exploits in the wild. Millions of applications use Log4j and we are seeing vulnerabilities announced by nearly every major software company such as Apple, Amazon, Cisco, Red Hat, Microsoft, and many more.
Any Apache versions from 2.0 to 2.14.1 with Log4j are vulnerable and easily exploitable with a web request with a simple user string. The additional challenge is that Apache and Log4j are heavily embedded in many commercial software solutions. The list of impacted solutions is growing rapidly and the community is working together to identify any potential packages with version-specific details.
Device42 has concluded its full product assessment and has determined that it has no vulnerable versions of Log4j in its products or in its environments.
HOW DO YOU FIX IT
For Apache instances in your control, upgrade Log4j to 2.15.0 as soon as possible. For situations where you cannot immediately upgrade, there is a workaround for versions 2.10 and above where you can mitigate the vulnerability:
Set log4j2.formatMsgNoLookups to true by adding:
“‐Dlog4j2.formatMsgNoLookups=True” to the JVM command for starting your application.
HOW DEVICE42 HELPS
As an IT discovery solution, Device42 can provide an inventory of the software deployed in an IT environment that could be potentially vulnerable to the Log4j vulnerability. For those customers with the optional Application Dependency Mapping capability, more advanced discoveries are possible to inspect the Java JVM arguments for any references to Log4j and identify vulnerable versions along with the details of where this software is deployed in your environment.
We have prepared some Device42 object query language reports that can be executed to provide a report of vulnerable software and the servers in which the software is running. These queries can be found on the Device42 Github here:
- Report for Software Packages of Vulnerable Vendors
- Report for Application Components with Log4j in the Parameters
LOG4J REMEDIATION DASHBOARDING
Using the integration between PowerBI and Device42, we have built some powerful dashboards to help your teams find and remediate Log4j issues.
Log4j Software Package Dashboard
This dashboard provides a graphical representation of how many systems have a version of a vendor’s vulnerable software package deployed along with details on which particular piece of software exists on those devices.
Log4j Application Components Dashboard
This dashboard provides an overview of all application components with command line arguments utilizing vulnerable Log4j. These identified applications would be targets for immediate inspection and potential remediation.
The Device42 Log4j Dashboards can be found on the Device42 Github here.
This blog first appeared on the Device42 Blog page and is unchanged: https://blog.device42.com/2021/12/13/log4j-zero-day/