Log4j: How to use passive and active scanning to identify vulnerability exposures

Apache Log4j CVE-2021-44228: Close gaps in vulnerability management programs with comprehensive discovery, exposure-based vulnerability prioritization, and vulnerability remediation beyond patching.

Log4Shell (CVE-2021-44228) is a critical remote code execution vulnerability in Apache Log4j2, a widely used Java logging library. According to Skybox Research Lab, the CVE has likely been actively exploited in the wild since December 1, 2021.

On December 14, 2021, a second Log4j vulnerability was discovered, CVE-2021-45046. The CVSS score is a 3.7 out of 10 and affects versions of Log4j 2.14.1 and prior1. The Skybox threat intelligence team is closely monitoring Log4j2 and proactively updating the Skybox Security Dictionary.

Combine passive and active scanning to identify Log4j instances

Two approaches to vulnerability discovery: traditional and passive scanning

Combining active and passive scanning to remediate Log4j vulnerability exposures:

  1. Traditional scanning – Traditional vulnerability scanners reactively alert administrators of vulnerabilities. Traditional scanners don’t take into account all factors that influence vulnerability risk. This leaves security teams wasting resources on issues that attackers may never find or know how to exploit.
  2. Passive scanning – Some assets are not scannable, leading to gaps in vulnerability management programs. Passive scanning combines threat intelligence with vulnerability data collected from multiple sources, including active scanners, security, cloud, network technologies, CMDBs, and endpoints. This passive analysis allows you to identify vulnerabilities without interfering with your client or server.

Note: Defenders should increase the frequency of both passive and active scanning. Previous scans likely only identify assets with the Log4j library installed.

Use cases where passive scanning is required
  • Large, multi-national companies: Rolling out patches for all vulnerable products and services is a massive lift for organizations with hundreds of thousands of assets. Today, organizations can scan about 100 assets each night. At this rate, it could take approximately 30 days to scan all assets. To put this timeline in perspective, CVE-2021-44228 had reportedly been exploited before it was disclosed to the public2.
  • Third-party risk: Log4j is used in many market-leading components across market-leading vendors. As a result, there will be a huge ripple effect that increases business risk. By understanding the entire state of your environment today, you can develop a rapid and targeted remediation plan that addresses the real risk to exposed, mission-critical assets. Everything that uses the Log4j library must be tested to ensure an adequate fix is in place.

“Organizations with mature cybersecurity practices can identify exposure within hours of a major exploit announcement. Today, it is an obligation to put the cybersecurity tools and processes in place that you need to be prepared,” said Haggai Polak, Chief Product Officer, Skybox Security. “Effective cybersecurity requires access to the data you need to make informed decisions. For example, network operators might not even be aware that it’s something in their environment. Given the flaw is expected to have serious repercussions worldwide, organizations must identify exposures immediately.”

Be prepared: Vulnerability discovery, exposure-based prioritization, remediation, mitigation

As soon as significant vulnerabilities are announced, organizations can immediately reduce business risk with these three foundational actions:

  1. Evaluate hardware and software within their networks that are potentially impacted.
  2. Identify your vulnerabilities that are exposed, exploitable, and deployed in areas of the network that open your business to risk.
  3. Develop a rapid and targeted remediation plan that includes applying mitigating controls, compensating controls, configuration changes, patches, and upgrades.

Remediation options beyond patching

For a widespread vulnerability such as Log4j, patching all of the vulnerability instances would be too time-consuming and costly. History shows the “patch everything” strategy is a monumental waste of effort since it’s typically just a small subset of such devices exposed to attack.

If you cannot patch immediately due to legacy software such as older versions of Java, consider alternate remediation options:

  • Intrusion prevention: All Log4j remediation options are added to the Skybox Security Dictionary. This feature identifies where signatures can be turned on to fix the exploit directly.
  • Path analysis: Are your impacted operational technology (OT) assets connected to the internet? Path analysis across your entire environment identifies actual Log4j exposures that could impact your business.
  • Access rules: Eliminate risky rules and reduce misconfigurations. Fix rule violations, unauthorized access, and risky rules within firewall policies.
  • Network segmentation: Model your network to confirm network segmentation is effective. Use segmentation to protect all important business assets, including applications, endpoints, and other sensitive data.
  • Network configuration adjustments: Proactively manage exposure by validating configurations before making changes. Check to confirm new configurations have not caused an exposure inadvertently.

Skybox Security will continue to monitor the impact of the exploit. In the meantime, always remember to patch or remediate your most mission-critical, exposed assets first.

  1. National Vulnerability Database, CVE-2021-45046 Detail, Dec. 14, 2021, https://nvd.nist.gov/vuln/detail/CVE-2021-45046
  2. TechTarget, Critical Log4j flaw exploited a week before disclosure, Dec. 13, 2021, https://www.techtarget.com/searchsecurity/news/252510892/Critical-Log4j-flaw-exploited-a-week-before-disclosure