Communiqué

Warning – “log4j” vulnerability

Title:
Cyber-security -alert – Information and recommendations in relation to Log4j Vulnerability – CVE-2021-44228 (Grade 10/10)

Content:
We would like to share with the supervised entities this Cyber-security alert, which has been initially written by the Cyber incidents Team of the European Central Bank.

What:
Critical unauthenticated Remote Code Execution (RCE) vulnerability (CVE-2021-4428)

Affecting:
A Java software library named “Log4j” that deals with logging at application level.

Why this alert:
This Java software library is present in many applications and services run by supervised institutions. Some of them facing the Internet.

The current scenario described in a few bullet points:
• Vulnerability in a widely used logging library: Log4j, a ubiquitous open source Apache logging framework that developers use to keep a record of activity within an application. This Java library is broadly used in enterprise systems and web apps.
• The vulnerability can be exploited to take control of systems remotely.
• Banks are already observing how their Internet-facing systems are being scanned to identify vulnerable systems.
• There are already available tools that automatically attempt to exploit the bug.

More technically:
• The vulnerability results from how log messages are being handled by the Log4j processor. If an attacker sends a specially crafted message, this may result in loading an external code class or message lookup and the execution of that code, leading to a situation that is known as Remote Code Execution (RCE). Any version of Log4j between versions 2.0 and 2.14.1 is affected.
• Apache has rated the vulnerability at “critical” severity and published patches and mitigations already. The criticality of the vulnerability has a score of 10 (out of 10) in the common vulnerability scoring system (CVSS).
• There is the possibility that organizations will need to develop their own patches or will be unable to patch immediately because they may be running legacy software, like older versions of Java.

Main recommendations to the supervised institutions:
Best practices in these cases suggest that IT Security Operations in the supervised institutions should have undertaken a collection of steps along the following lines of action:
o Check their software landscape (both internal servers and, most importantly, Internet-facing servers) for the use of Log4j and apply the corresponding patches where necessary and as soon as possible.
o If patching is not possible, isolating the system from the Internet is strongly recommended.
o If patching and isolation are not possible, then filtering aids such as application level firewalls, together with Intrusion Detection/Prevention systems (IDS/IPS) are advisable.
o Check for exploitation attempts – no matter whether they are successful or not – in the web server logs.
o Check the network perimeter logs for the presence of indicators of compromise (IOCs)

The number of impacted systems is expected to be high.

Main technical references:
CERT-EU (here), Swiss CERT (here), CVE MITRE (here) and CIRCL (here).