Log4J Cybersecurity Risk Not a Threat to 75F Customers
A new 0-day vulnerability called Log4Shell is quickly gaining a reputation as one of the worst cybersecurity threats to have ever emerged. The exploit is found in Apache’s Log4j — a popular Java logging package —and could allow hackers to run malicious software on vulnerable devices or servers, including building management systems.
We would like to assure customers that the 75F security team became aware of this threat last week, and no 75F users are affected or at risk. However, out of an abundance of caution, our team has already tested and pushed a security update ensuring all of our applications are running the latest patched version of Log4j, 2.16.0.
While 75F systems are not at risk, it remains important to consider the ways Log4Shell could affect other aspects of your business and take necessary security precautions.
Overview
Apache’s Log4j software library is very broadly used in a wide range of enterprise services, websites, and applications in order to log security and performance information. The US Joint Cyber Defense Collaborative warned publicly today that an unauthenticated remote actor could exploit this vulnerability to take control of an affected system, control log messages or log message parameters, and could then execute malicious code loaded from LDAP servers when message lookup substitution is enabled. The government statement was timed with Apache’s released Log4j version 2.15.0 in a security update to address and fix this vulnerability.
We urge all customers to take this threat seriously, implement this security update across their own systems and infrastructure, and contact their vendors to identify, mitigate and patch any products or software affected.
Technical details
If you believe you may be affected:
Review Apache’s Log4j Security Vulnerabilities page for additional information and, if appropriate, apply the provided workaround:
In releases >=2.10, this behavior can be mitigated by setting either the system property log4j2.formatMsgNoLookups or the environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS to true.
For releases from 2.7 through 2.14.1 all PatternLayout patterns can be modified to specify the message converter as %m{nolookups} instead of just %m.
For releases from 2.0-beta9 to 2.7, the only mitigation is to remove the JndiLookup class from the classpath: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class.
Apply available patches immediately. See CISA's upcoming GitHub repository for known affected products and patch information.
Prioritize patching, starting with mission critical systems, internet-facing systems, and networked servers. Then prioritize patching other affected information technology and operational technology assets.
Until patches are applied, set log4j2.formatMsgNoLookups to true by adding -Dlog4j2.formatMsgNoLookups=True to the Java Virtual Machine command for starting your application. Note: this may impact the behavior of a system’s logging if it relies on Lookups for message formatting. Additionally, this mitigation will only work for versions 2.10 and above.
As stated above, BOD 22-01 directs federal civilian agencies to mitigate CVE-2021-44228 by December 24, 2021, as part of the Known Exploited Vulnerabilities Catalog.
Conduct a security review to determine if there is a security concern or compromise in your building automation systems, IoT devices, or in other software in your building. The log files for any services using affected Log4j versions will contain user-controlled strings.
When in doubt, block all incoming or outgoing connections between the effected system and the internet.
Contact CISA or the FBI if you believe you may have been effected.
A community-sourced GitHub repository that provides a list of publicly available information and vendor-supplied advisories is available for yout IT or security teams.
For all executives, business owners, or government leaders, CISA’s Cyber Essentials is a helpful guide to increase your understanding of cybersecurity best practices, and a range of no-cost cyber hygiene services—including vulnerability scanning and ransomware readiness assessments—exist to help critical infrastructure organizations assess, identify, and reduce their exposure to cyber threats.