Five nations issue alert and comprehensive guidance for fighting Log4Shell vulnerabilities

Canada and its Five Eyes intelligence partners have issued a joint alert on the Log4Shell and related critical vulnerabilities to make sure infosec pros understand the seriousness of the issue.

Treat known and suspected vulnerable assets as compromised,” says the alert. “These assets should be isolated until they are mitigated and verified.”

Issued by the Canada Centre for Cyber Security, the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the FBI, the U.S. National Security Agency, the Australian Cyber Security Centre, the Computer Emergency Response Team New Zealand, the New Zealand National Cyber Security Centre, and the United Kingdom’s National Cyber Security Centre, the document provides comprehensive mitigation guidance on addressing vulnerabilities in Apache’s Log4j software library.

That includes

–CVE-2021-44228 (known as “Log4Shell”) Disclosed on December 10, it’s is a remote code execution (RCE) vulnerability affecting Apache’s Log4j library, versions 2.0-beta9 to 2.14.1. Apache released log4j version 2.15 to fight this;

–CVE-2021-45046, disclosed on December 13, which enables a remote attacker to cause  a denial-of-service (DoS) condition or other effects in certain non-default configurations. Apache released Log4j version 2.16.0 (Java 8) to fight this;

–and CVE-2021-45105, disclosed on December 16, which enables a remote attacker to cause a DoS condition or other effects in certain non-default configurations. Apache released Log4j version 2.17.0 (Java 8) in response.

“Sophisticated cyber threat actors are actively scanning networks to potentially exploit Log4Shell, CVE-2021-45046, and CVE-2021-45105 in vulnerable systems,” says the alert. According to public reporting, Log4Shell and CVE-2021-45046 are being actively exploited.

Application developers with environments using Java 8 or later should upgrade to Log4j version 2.17 or newer, says the alert. Those using Java 7 should upgrade to Log4j version 2.12.3 (released December 21, 2021). However, the alert also notes that Java 7 is currently end of life, so advises organizations to upgrade to Java 8. They should also inform their end users of products that contain these vulnerabilities and strongly urge them to prioritize software updates, the alert says.

IT departments should inventory all assets — including cloud assets, regardless of function, operating system, or make — that use the Log4j Java library. That inventory should include the following attributes of each asset:

    1. Software versions
    2. Timestamps of when last updated and by whom
    3. User accounts on the asset with their privilege level
    4. Location of asset in the enterprise topology.

Use the CISA’s GitHub repository and CERT/CC’s CVE-2021-44228_scanner to identify assets vulnerable to Log4Shell.

 

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@] soloreporter.com

Related Tech News

CDN in your inbox

CDN delivers a critical analysis of the competitive landscape detailing both the challenges and opportunities facing solution providers. CDN's email newsletter details the most important news and commentary from the channel.