Authomize’s Response and Mitigation Guide to the Log4Shell Vulnerability
If you work in InfoSec, then you’ve already had quite the weekend. Or lack thereof.
We can’t give you your weekend back, but we’ve pulled together a quick and dirty briefing on everything you need to know to secure your organization from the Log4j aka Log4Shell vulnerability.
Reach out to Authomize for any questions on how to mitigate your risk from this vulnerability and please share the resources provided here below.
Is Authomize Vulnerable?
No. We’ve checked.
What is Log4j?
An extremely common Java logging library used and packaged in many online software components including many Apache Foundation products and Elasticsearch.
What Happened?
Log4j was found to be vulnerable to a format string code execution bug that was not disclosed and patched in a coordinated manner.
This bug utilizes JNDI capabilities that enable attackers to carry out a Remote Code Execution (RCE). This type of attack on JNDI has been known for at least seven years, if not longer.
The bug (CVE-2021-44228 aka as Log4Shell) causes the vulnerable component (which embeds Log4j) to actively connect to the internet, fetch the malicious code, and run it.
The result is that many apps and software components you might be using are vulnerable. Many organizations are already being targeted by hackers attempting to exploit the situation.
How to Remediate — Step-by-Step Guide
-
Patch Now
- Determine if you have potentially vulnerable components in your products.
- Here is a list of vulnerable components we know of. Stay tuned for updates as it will likely grow.
- You can try Authomize for free and we will send you a report of the relevant components we can discover. This report should be considered an initial review, so further work with your dev team is required.
- The quickest and simplest fix is described under “mitigation” in the official log4j page, which only takes a quick command on the vulnerable server. However, it is highly advised to take the time afterwards and upgrade to fixed versions
- Best practices call for blocking outbound access (incl. DNS!) from internal services in your IaaS. Following this guideline should mitigate against risks from the vulnerability in Log4j.
- Determine if you have potentially vulnerable components in your products.
-
Address Supply Chain Risks
- Verify which of your XaaS vendors and vendors connected to your XaaS systems are vulnerable and may have already been compromised. Start with this list and stay tuned for more names to be added.
- Get your employees to change their organizational passwords for the products of those vendors.
- Monitor and coordinate with your vendors’ incident response coordinators for additional updates.
-
Incident Response
- If you have vulnerable components/vendors, initiate an incident response process as soon as possible.
- Monitor the apps and service principals of the vulnerable app/component.
- Authomize can provide you with immutable activity logs in your apps and infrastructure (where supported).
-
General Reaction
- It is always a good idea to turn on MFA everywhere. It is even more important in the wake of the expected major leaks of passwords and account information.
- Encourage that all user passwords are changed. Password reuse from personal accounts is a real and present danger.
- Try to ramp up your “conditional access” (or whatever your vendor calls that capability) settings to increase device trust requirements for connecting to apps.
How Authomize Can Help
- Highlight possibly vulnerable assets in your inventory
- Contact us for your report
- Identify which of your apps have likely been compromised
- Contact us for your report
- Provide data for your incident response with immutable logs
How to Contribute
Do you have any threat intelligence/info about affected vendors and/or components that can help others in the community stay secure. Go to our GitHub repo and make a pull request to contribute.
Stay Tuned
We will continue posting updates on our LinkedIn and Twitter channels, as well as issuing alerts and notifications to customers directly, so stay tuned for more info as this story develops.
The post Authomize’s Response and Mitigation Guide to the Log4Shell Vulnerability appeared first on Authomize.
*** This is a Security Bloggers Network syndicated blog from Authomize authored by Gabriel Avner. Read the original post at: https://www.authomize.com/blog/authomizes-response-and-mitigation-guide-to-the-log4shell-vulnerability/