On Thursday, December 9, security researchers at LunaSec published details of a zero-day threat that exploits a critical flaw in Apache Log4j 2. Successful exploit of the remote code execution vulnerability, dubbed Log4Shell and tracked as CVE-2021-44228, can give attackers access to sensitive data and ultimately full server control. The Apache Software Foundation was notified confidentially of the vulnerability on November 24 and issued a patch on December 9.
It’s now known that Log4Shell attacks began as early as December 1. Since the public disclosure, exploitation attempts continue to accelerate and one security firm detected more than 10,000 different IP addresses probing the internet for the vulnerability.
Log4j is a Java-based logging utility used by many software applications and security firm BitSight estimates up to 34% of companies could be impacted by the vulnerability. The Log4Shell flaw is easy to exploit and leverage to deploy ransomware or other next-stage attacks, making it critical that organizations address the issue quickly. It’s recommended that security teams immediately determine which of their software vendors are vulnerable and implement required mitigations. You should also plan to update any custom-built Java based applications that use the Log4J 2 library to Log4J 2.16.0.
When the vulnerability was disclosed to HYPR, our Cloud and Security Operations teams evaluated our cloud-hosted and on-premises solutions to determine any impact. We tested, validated and implemented steps to remediate any exposure. On December 10, HYPR Cloud Ops pushed the initial remediation recommended by Apache to all affected environments. On-prem customers were provided with specific initial mitigation steps to take, along with any assistance required.
On December 14th Apache Foundation reported a new moderate-rated vulnerability, CVE-2021-45046, in relation to the fix and mitigation steps previously outlined for CVE-2021-44228. The HYPR security team assessed the risk and delivered customer communications.
This is an evolving vulnerability and the HYPR security team continues to investigate.
Based on current available data, there is no indication that the exploit was successfully used against HYPR services.
As this vulnerability clearly shows, the entire industry has a significant dependency on open source and open standards technology. As a founding member of the FIDO alliance, HYPR is a firm believer that openness provides both the best software and the best security overall. In order to continue to support this, we’re donating $10,000 to the Apache Foundation to continue their efforts.
Stay tuned as this story develops. We will post any updates on our LinkedIn and Twitter channels, as well as issuing alerts and notifications to customers directly.
Editor's note 12-14-21: This blog has been updated to reflect new information from Apache that their initial mitigation measures and patch were incomplete.
Editor’s note 12-15-21: This blog was updated to reflect Apache’s report of a new, related, moderate-rated vulnerability, CVE-2021-45046.