How to remediate the Log4j 2 vulnerability

Image of Erik Torlén
Erik Torlén

December 14, 2021

On Friday the 10th of December, a new widespread vulnerability impacting the Apache Log4j version 2 library (CVE-2021-44228) was detected and has gotten much global attention over the weekend. Due to the nature of this vulnerability, it can exist on any operating system and provides the ability for hackers to gain access to arbitrary code. Therefore, it's crucial for organizations to have the correct tools and processes to ensure their infrastructure is secure.

This vulnerability can allow an attacker to, if exploited on a server, gain complete control over entire systems. Any system that could be exploited, should be considered compromised, as well as any devices trusted by the compromised device.

CVE-2021-44228 is considered a critical vulnerability, with a base CVSS score of 10, the highest possible severity rating. While cybercriminals commonly exploit newly disclosed vulnerabilities to take advantage before the vulnerability has been remediated, the massive prevalence of Log4j and with organizations unaware that it's part of their network means that the window for an attack is now much more extensive.

What is the Log4j (Log4Shell) vulnerability?

CVE-2021-44228 is a Remote Code Execution (RCE) vulnerability impacting Log4j version 2. Log4j is a common logging framework for Java-based applications which can be implemented by anyone. Hence the impact of this vulnerability is widespread and impacts platforms and individual applications. The vulnerability is also known as Log4Shell.

The first step to protecting your infrastructure

The Log4j vulnerability can be found on version 2.14.1 and below of Log4j. Therefore the recommended first action is updating vulnerable products to the latest version, 2.16.0, immediately. If it's impossible to update the security immediately, the system/s should be shut down to avoid attacks.

"An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.",quote from NIST.

Getting started with remediation

The complexity of the Log4j vulnerability and its implications are still being assessed. Finding out which applications in your organization use Log4j should be the primary mission. Various detection methods and tools are needed to identify any vulnerable applications or to verify remediation. Detection techniques will differ from instance to instance of the vulnerability.

The first step would be to install the latest updates immediately wherever Log4j is known to be used and then discover unknown instances of Log4j within your organization.

To check if your systems are affected by the Log4j vulnerability, you can run an authenticated or unauthenticated network scan using Holm Security VMP.

Occasions such as these underline the need for continuous vulnerability management. It is by far the best way to make sure your organization detects vulnerabilities at early stages so that even vulnerabilities without media attention are sure to be noticed.

By performing scans regularly, you get a clear view of where your infrastructure is unprotected. In the case of vulnerabilities such as Log4j, you can efficiently perform a scan to know if it concerns your organization and also learn how to remediate it if it does.

Reach out to support@holmsecurity.com if you have any questions.

If you're already a Holm Security customer, please read our helpdesk article about how to find and remediate the Log4j vulnerability.

New call-to-action

Published 14th of December 2021, updated 2021-12-15 09.55