Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
_Val_
Admin
Admin

Protect yourself against a widely exploited vulnerability CVE-2021-44228 (Apache Log4j2 ver 2.1)

On December 9th, an acute remote code execution (RCE) vulnerability was reported  in the Apache logging package Log4j2 versions 2.14.1 and below (CVE-2021-44228). Apache Log4j is the most popular java logging library with over 400,000 downloads from its GitHub project. It used by a vast number of companies worldwide, enabling logging in a wide set of popular applications.
Exploiting this vulnerability is simple and allows threat actors to control java-based web servers and launch remote code execution attacks.

What do you need to do in order to remain protected?

Check Point already released a new Quantum Gateway protection powered by Threat Cloud, designed to prevent this attack, and by using it- you’ll stay protected.
If your Quantum gateways are updated with automatic new protections, you are already protected. Otherwise, you need to implement a new protection by following the guidelines here. We urge IT and Security teams to take immediate remediation measures on the matter.

Is Check Point affected by this vulnerability?

The Check Point Infinity architecture is not impacted by this threat.
We thoroughly verified that the vulnerability does not affect our Infinity portfolio including Quantum Gateways, SMART Management, Harmony Endpoint, Harmony Mobile, ThreatCloud and CloudGuard.

What’s next? 

Check Point Research is thoroughly investigating the vulnerability

Check Point Research (CPR) closely monitors the massive scans and exploit attempts. While the activity as we write these lines is limited to scanners and mostly crypto mining threat actors, it does not mean more advanced threat actors are just sitting back enjoying the noise activity. In fact, they are acting silently behind the scenes.

It is clearly one of the most serious vulnerabilities on the internet in recent years.
When we discussed the Cyber pandemic, this is exactly what we meant – quickly spreading devastating attacks.

The numbers behind CVE-2021-44228

This CVE joins the general atmosphere of cyber pandemic where major vulnerabilities in popular software and services impact enormous number of organizations.
Since we started to implement our protection we prevented over 100.000 attempts to allocate the vulnerability, over 50% of those attempts were made by known malicious groups.
We have so far seen an  attempted exploit on over 23% of corporate networks globally

What did Check Point do for mitigation? 

Check Point Software released a Quantum Gateway Protection  against the Apache Log4j Remote Code Execution (CVE-2021-44228) vulnerability. We urge all customers to make sure the protection is set on prevent, to avoid the exploitation of their assets.

Additionally, Apache has provided a patch (Log4j 2.15.0) to mitigate the vulnerability. Users may update their version accordingly.

If not possible, according to Apache advisory, other remediation steps are possible:

  • For Log4j 2.10 or higher: add -Dlog4j.formatMsgNoLookups=true as a command line option or add log4j.formatMsgNoLookups=true to the log4j2.component.properties file on the classpath to prevent lookups in log event messages.
  • For Log4j 2.7 or higher: specify %m{nolookups} in the PatternLayout configuration to prevent lookups in log event messages.

Remove the JndiLookup and JndiManager classes from the log4j-core jar.

Note that removal of the JndiManager causes the JndiContextSelector and JMSAppender not to function.

How can Check Point continue to help you?

We will continue to update on any new development of this significant security event.
Our technical support teams are available for you 24/7 and we are all at your service to make sure you’ll stay protected.

More information:

SecureKnowledge Article "Check Point response to Apache Log4j Remote Code Execution (CVE-2021-44228)...

Check Point Blog Post about the vulnerability

Cyber Pandemic update – Critical vulnerability in Apache Log4j

Second Log4j Vulnerability (CVE-2021-45046) Discovered

(1)
2 Replies
Hugo_vd_Kooij
Advisor

My main concern is that IPS signature are not much good if you don't inspect incoming HTTPS traffic. Which in my view is the blind spot of most protections. And most customer have not configured things correctly for this.

Miracles happen while you wait. The impossible jobs take just a bit longer.
796570686578
Collaborator

Thank you for the Update!

I  have seen that some payloads are getting more complex and not necessarily contain "jndi" as a string and try to bypass detection that way. 

For example, a payload may contain 

 

 

Now when I try to search the logs for these or parts of it, it seems like it doesn't treat it as a string but instead shows me every log entry that contains a j. I have tried to wrap it in "", '' and escaping with \ but that doesn't seem to work.. Does anyone know if it's possible to search the logs in SmartConsole for these more complex payloads?