Log4Shell (CVE-2021-44228) is a critical remote code execution vulnerability in Apache Log4j2, a widely used Java logging library. According to Skybox Research Lab, the CVE has likely been actively exploited in the wild since December 1, 2021.
On December 14, 2021, a second Log4j vulnerability was discovered, CVE-2021-45046. The CVSS score is a 3.7 out of 10 and affects versions of Log4j 2.14.1 and prior1. The Skybox threat intelligence team is closely monitoring Log4j2 and proactively updating the Skybox Security Dictionary.
Combine passive and active scanning to identify Log4j instances
Two approaches to vulnerability discovery: traditional and passive scanning
Combining active and passive scanning to remediate Log4j vulnerability exposures:
- Traditional scanning – Traditional vulnerability scanners reactively alert administrators of vulnerabilities. Traditional scanners don’t take into account all factors that influence vulnerability risk. This leaves security teams wasting resources on issues that attackers may never find or know how to exploit.
- Passive scanning – Some assets are not scannable, leading to gaps in vulnerability management programs. Passive scanning combines threat intelligence with vulnerability data collected from multiple sources, including active scanners, security, cloud, network technologies, CMDBs, and endpoints. This passive analysis allows you to identify vulnerabilities without interfering with your client or server.
Note: Defenders should increase the frequency of both passive and active scanning. Previous scans likely only identify assets with the Log4j library installed.
Use cases where passive scanning is required
- Large, multi-national companies: Rolling out patches for all vulnerable products and services is a massive lift for organizations with hundreds of thousands of assets. Today, organizations can scan about 100 assets each night. At this rate, it could take approximately 30 days to scan all assets. To put this timeline in perspective, CVE-2021-44228 had reportedly been exploited before it was disclosed to the public2.
- Third-party risk: Log4j is used in many market-leading components across market-leading vendors. As a result, there will be a huge ripple effect that increases business risk. By understanding the entire state of your environment today, you can develop a rapid and targeted remediation plan that addresses the real risk to exposed, mission-critical assets. Everything that uses the Log4j library must be tested to ensure an adequate fix is in place.
“Organizations with mature cybersecurity practices can identify exposure within hours of a major exploit announcement. Today, it is an obligation to put the cybersecurity tools and processes in place that you need to be prepared,” said Haggai Polak, Chief Product Officer, Skybox Security. “Effective cybersecurity requires access to the data you need to make informed decisions. For example, network operators might not even be aware that it’s something in their environment. Given the flaw is expected to have serious repercussions worldwide, organizations must identify exposures immediately.”
Be prepared: Vulnerability discovery, exposure-based prioritization, remediation, mitigation
As soon as significant vulnerabilities are announced, organizations can immediately reduce business risk with these three foundational actions:
- Evaluate hardware and software within their networks that are potentially impacted.
- Identify your vulnerabilities that are exposed, exploitable, and deployed in areas of the network that open your business to risk.
- Develop a rapid and targeted remediation plan that includes applying mitigating controls, compensating controls, configuration changes, patches, and upgrades.