12.14.2021

Critical – Vulnerability for Log4j, CVE-2021-44228, Log4Shell, Update #1

Alert
  • facebook share link
  • twitter share link
  • linkedin share link
  • mail share link

Date of Notice: 12/14/2021

Action Level - Critical

Description

As part of our Edgeguard service, MCNC would like to update you on the threat affecting the Java logging utility Log4j. This is being tracked as CVE-2021-44228. Apache documentation here.
 
Affected Devices

While no exhaustive list has been collected, the following page contains known tested software and its vulnerability status. Even if a given device isn’t on this page, assume it is vulnerable until proven otherwise.
 
Attack Vector

Any attacker with network access that can pass text to the given device can exploit this vulnerability. This could be an external bad actor interacting with public facing devices or an internal bad actor interacting with any device they have network access to.

Attack Feasibility

This vulnerability is actively being exploited.

Mitigations

Various A/V and WAF vendors are beginning to roll out detections of these attacks.
You can mitigate the RCE vulnerability by setting log4j2.formatMsgNoLookups to True (-Dlog4j2.formatMsgNoLookups=true in JVM command line) (but only for >= 2.10.0).
Ensure all devices are patched to their most current version.

Remediation

The following GitHub page has direct links to various vendor updates.

Collected Resources

This site also includes additional information on impacted and non-impacted vendors as well.

MCNC
PO Box 12889
3021 East Cornwallis Road
RTP, NC 27709-2889
919-248-1900 Phone | 919-248-1101 Fax
Connect With Us
  • linkedin
  • instagram
  • x
  • facebook
  • youtube
© 2024 MCNC