Runtime Application Security: Made to Protect Against LOG4J2 Attacks

A recently discovered vulnerability in LOG4J2 (also referred to as LOG4SHELL) is being widely reported as one of the most dangerous vulnerabilities in application software to date. There is already news that it is being exploited in the wild, putting widely used applications and cloud services at risk.

LOG4J2 is a popular Java logging framework developed by the Apache Software Foundation. The vulnerability, CVE-2021-44228, allows for Remote Code Execution (RCE) against users with certain standard configurations.  More details on the vulnerability are found in the vulnerability report, CVE-2021-44228, and is considered a critical flaw. LOG4J2 has a base CVSS score of 10 — the highest possible severity rating.

While many organizations are rushing to mitigate this vulnerability, there are some organizations that had peace of mind during this most recent vulnerability announcement.  Organizations that have already taken advantage of Runtime Application Self-Protection (RASP) solutions, like the one K2 Cyber Security offers, didn’t have to worry about LOG4J2, since their runtime agents protected their code and prevented the vulnerability from being exploited.

Even the National Institute of Standards and Technology (NIST)’s SP800-53 that was just released on September 23, 2020, recognized the advantage to  RASP as an added layer of security, and added it as a requirement as part of the security and privacy framework.

K2 Cyber Security’s RASP solution detects and blocks attacks against LOG4J2.  An attacker takes advantage of the fact that LOG4J evaluates log statements before writing to a log file. The attack is instigated when an attacker supplies a payload as template that will be evaluated by the code, resulting in a JNDI lookup of a user controlled string and is used to load a class supplied by the attacker. K2 Cyber Security’s RASP solution detects the attack when an attempt is made to fetch the malicious code and before that code can be executed.  

Figure 1. K2 Security Platform detecting an attack on LOG4J2

K2 Cyber Security’s RASP solution detected and blocked this attack without any tuning or signature updates because its patented deterministic approach identified the LOG4J2 zero day vulnerability just like it would detect and block any other zero day.   

Figure 2. K2 Security Platform detailed information on LOG4J2 attack

 

How does K2 do it?  

K2 Security Platform uses runtime deterministic security to monitor the application and has a deep understanding of the application’s control flows, DNA and execution.  By validating the application’s control flows, deterministic security is based on the application itself, rather than relying on past attacks to determine a zero day attack.  Deterministic security results in the detection of sophisticated zero day attacks and also protects from application from the risks listed in the OWASP Top Ten, including XSS and SQL Injection.

K2’s Next Generation Application Workload Protection Platform addresses today’s need for runtime security and vulnerability detection in an easy to use, easy to deploy solution.  K2’s unique deterministic security detects new attacks without the need to rely on past attack knowledge, is lightweight, and adds under a millisecond of latency to the running application.  To aid in quick remediation of vulnerabilities, K2 also provides detailed attack telemetry including the code module and line number being in the code being attacked, while at the same time integrating with leading firewalls to do real time attacker blocking.

Change how you protect and test your applications, and check out K2’s web application and application workload security solution and evaluate K2’s effectiveness at detecting and protecting your organization from attacks.

Find out more about K2 today by requesting a demo, or get your free trial.

---