Apache Log4j (”Log4Shell”) Vulnerability
On Friday, December 10, 2021 the Cybersecurity and Infrastructure Security Agency (CISA) published a current activity notice highlighting a security advisory by the Apache Software Foundation to address a remote code execution vulnerability (CVE-2021-44228) impacting log4j versions 2.0-beta9 to 2.14.1. Log4j is an open-source, Java-based logging utility widely used by enterprise applications, cloud services, Internet-of-Things, and SCADA systems.
Water and wastewater utility system administrators are encouraged to review the Apache Log4j 2.15.0 Announcement and upgrade to log4j 2.15.0 or apply the recommended mitigations immediately. Additionally, CISA has published a webpage and a community-sourced GitHub repository including further information regarding tactics, techniques, and procedures (TTPs), mitigations, and a list of impacted vendors/manufacturers. CISA notes it will continue to update both resources as it has further guidance to impart and additional vendor information to provide.
What you need to know.
- A critical vulnerability impacting the Apache log4j library has been identified in version 2.0-beta9 to 2.14.1.
- An unauthenticated attacker could remotely exploit this vulnerability to take control of an affected system.
- Given its wide use among enterprise, cloud services, Internet-of-Things, and SCADA systems, CISA estimates hundreds of millions of devices are impacted by this vulnerability.
- Likewise, given its widespread usage it is important for water and wastewater sector entities to assess their networks for the presence of the vulnerable log4j library.
Is the disclosed vulnerability patched?
- Apache has released log4j 2.15.0 to fix this vulnerability.
- GitHub has an initial list of known affected products, and CISA is expected to have a list published within the coming day.
- For use of the vulnerable log4j library within your environment, it may be necessary to reach out to system integrators, and ICS and IoT manufacturers.
Is this vulnerability being actively exploited?
Yes, there is widespread mass scanning using publicly available exploit code. CISA noted that its scanners have also detected targeted attacks.
Recommended Actions
Upgrading to version 2.15.0 is the most effective way to reduce the risk from this vulnerability. However, as utilities assess systems for impact and work to install available patches, the following basic cybersecurity hygiene practices may mitigate and detect exploitation:
- Implement network segmentation best practices and ensure devices are not accessible from the Internet.
- Conduct frequent vulnerability scanning and intrusion detection monitoring.
- Investigate every alert emanating from vulnerable systems using the log4j library.
- Update Web Application Firewalls (WAFs) with the latest rules.
Additional Information
CISA is available to provide cybersecurity advice and support to entities working to obtain a patch. To request support from CISA, please contact [email protected]. For industrial control systems cybersecurity information: https://us-cert.cisa.gov/ics or incident reporting: https://us-cert.cisa.gov/report.
WaterISAC will continue to share information with members and partners as more is learned about this vulnerability. Likewise, all water and wastewater utilities are encouraged to share information with WaterISAC by emailing [email protected], calling 866-H20-ISAC, or using the online incident reporting form.
References
- https://www.cisa.gov/uscert/ncas/current-activity/2021/12/10/apache-releases-log4j-version-2150-address-critical-rce
- https://logging.apache.org/log4j/2.x/security.html
- https://www.huntress.com/blog/rapid-response-critical-rce-vulnerability-is-affecting-java
- https://arstechnica.com/information-technology/2021/12/the-log4shell-zeroday-4-days-on-what-is-it-and-how-bad-is-it-really/
- https://www.tenable.com/blog/apache-log4j-flaw-a-fukushima-moment-for-the-cybersecurity-industry
- https://www.tenable.com/blog/apache-log4j-flaw-puts-third-party-software-in-the-spotlight