Security Advisory: Bitdefender Response to Critical Zero-Day Apache Log4j2 Vulnerability

Bitdefender Enterprise

December 11, 2021

Security Advisory: Bitdefender Response to Critical Zero-Day Apache Log4j2 Vulnerability

On December 9, 2021, Apache disclosed CVE-2021-44228, a remote code execution vulnerability – assigned with a severity of 10 (the highest possible risk score) – affecting Apache Log4j2, a Java-based logging framework widely used in commercial and open-source software products.

The vulnerability together with two other subsequent vulnerabilities affect versions 2.0 through 2.17.0; version 2.17.1 is not vulnerable. (CVE-2021-44228, the focus of this post was fixed by 2.15, however, CVE-2021-45046 required a fix made in 2.16 and CVE-2021-45105 a fix made in 2.17.)

Bitdefender is already seeing and monitoring several malicious actors running active exploitation campaigns. 

The CVE-2021-44228 vulnerability has been assigned the highest possible risk score (CVSS 10) due to its exploitation impact (ability to remotely execute code on targeted hosts). Likely, this vulnerability will linger in computing infrastructures for an extensive period of time due to the widespread use of the Log4j2 logging framework. It is important to note this vulnerability is easy to exploit and applications using the affected Log4j2 versions are subject to an extensive attack surface. Immediate action is advisable. 

Ways to Mitigate the Risk to Your Infrastructure 

Bitdefender strongly advises its customers to take immediate action and deploy all existing patches and mitigations recommended in industry vendor advisories. We also recommend the following course of action: 

  • Conduct an extensive infrastructure and software application audit to identify all systems that implement the Apache Log4j2 logging framework. Then, either immediately upgrade these deployments to Log4j version 2.17.1 (Updated recommendation January 6th 2021 as 2.17 has now been reported by Apache as susceptible to a Denial of Service attack) and deploy the configuration mitigations recommended by Apache, more details in this article.
  • Review your software supply chain and software bill of materials. Seek mitigation countermeasures or patches from either open-source software project maintainers or commercial software manufacturers for all affected systems. This is especially true for software you are running on internet-facing systems but should not be limited to such systems due to the lateral attack threat posed by the severity of this vulnerability. 
  • Actively monitor the infrastructure for potential exploitation attempts and respond accordingly.

It is important to note this is a highly dynamic situation and many software vendors and open-source projects are still investigating the presence of Log4j2 in their software bill of materials with additional advisories expected over the coming days and weeks. Therefore, closely monitoring for vendor updates should be a critical part of your ongoing mitigation efforts.

Bitdefender Products and Services 

Bitdefender is actively investigating the potential risks posed by this vulnerability to customers using our products and services. The Bitdefender security engineering and security operations teams are continuously auditing and deploying any needed mitigation countermeasures to our cloud infrastructure and products to identify and eliminate potential risks. 

  • GravityZone Cloud: required mitigations have been deployed to the GravityZone Cloud infrastructure. No action is required by Bitdefender customers. 
  • GravityZone On-Premises: these deployments are unaffected by the vulnerability. No action is required by Bitdefender customers.   

Since this situation is dynamic and evolving, we will continue to actively monitor for new developments and will provide further status updates and guidance to our customers as needed.  

Apache Log4j 2.17.1 update - January 6, 2022

Bitdefender recommends downloading and upgrading to the Apache Log4j 2.17.1 patch at this time.

No additional risks posed by this vulnerability to customers using our products and services have been identified at this time. We continue to actively monitor and will deploy any needed mitigation countermeasures should they be required (last updated December 28, 2021).

Additional Resources 

 

Contact an expert

tags


Author


Bitdefender Enterprise

Bitdefender is a cybersecurity leader delivering best-in-class threat prevention, detection, and response solutions worldwide. Guardian over millions of consumer, enterprise, and government environments, Bitdefender is one of the industry’s most trusted experts for eliminating threats, protecting privacy, digital identity and data, and enabling cyber resilience. With deep investments in research and development, Bitdefender Labs discovers hundreds of new threats each minute and validates billions of threat queries daily. The company has pioneered breakthrough innovations in antimalware, IoT security, behavioral analytics, and artificial intelligence and its technology is licensed by more than 180 of the world’s most recognized technology brands. Founded in 2001, Bitdefender has customers in 170+ countries with offices around the world.

View all posts

You might also like

Bookmarks


loader