A zero-day vulnerability of Log4j (CVE-2021-44228), 一个开源的, Java-based logging utility widely used by enterprise applications and cloud services, 最近才曝光.
Log4j2 incorporates a logging feature called “Message Lookup Substitution.查找方法之一, JNDI查找与LDAP协议配对, calls a Java class from a remote source giving the ability to execute part of its code, resulting in a scenario in which an attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.
这个漏洞叫做Log4shell, is considered critical as it impacts almost all version of Log4j (excluding the latest version 2.15.0). Millions of Java applications use this library to log error messages. 美国CISA局长伊斯特利在一份声明中说 声明: “To be clear, this vulnerability poses a severe risk. We will only minimize potential impacts through collaborative efforts between government and the private sector. We urge all organizations to join us in this essential effort and take action.”
ISACA董事会主席Gregory Touhill, CISM, CISSP, 准将(退役), stated: “This is a significant cyber vulnerability that presents great risks to those whose infrastructure has the Log4j code embedded in various applications and systems. 正因为如此, it likely will take many weeks before many organizations are able to evaluate their applications and systems for risk exposure. Because the vulnerability can be exploited remotely by a single line of code, it is important to move quickly to take recommended mitigation actions now and stay informed through sources like national CERTs, ISACA, 原始设备和软件制造商, and other reputable sources as more analysis yields additional mitigation and risk management recommendations in the coming weeks.”
While many exploitation attempts around the world have been recorded in the last few days, it is important to implement immediate actions and also consider longer-term strategies from lessons learned. In terms of immediate actions, some of the advisory can be found below (steps updated 22 Dec. 2021年将反映新的指导意见):
- 在网络中搜索Log4J安装.
- Patch to the latest version of Log4J from the Apache Foundation (while Log4shell was addressed with version 2.15, new vulnerabilities were discovered, leading to subsequent patches 2.16和2.17).
- If patching is not possible, apply mitigating measures as reported in this link, although patching is considered the most appropriate solution.
- Keep monitoring the systems that incorporate Log4j for suspicious behavior.
In terms of longer-term strategies and as zero-day vulnerabilities are the norm, importance of detection and response policies and procedures, 包括以下内容, 必须强调:
- Readiness of the Security Operations Center (internal or outsourced service) to be able to react through appropriate training to zero-day vulnerabilities.
- Investment on incident response automation to have the response teams apply procedures in a timely and focused manner.
- Patching policies and procedures in place for keeping digital ecosystems up to date and upgrade-ready, including appropriate response plans and automated testing capabilities to react on a timely manner.
- 网络安全 maturity assessments and related improvements for ensuring that the organization is able to react in a predicted manner in case of a cyber incident.
- 网络安全密切合作, risk management and IT audit teams for providing assurance on the above.
Protecting against zero-day vulnerabilities requires vigilance, 训练有素的网络响应团队, 网络成熟的组织和, 最重要的是, collaboration among several different digital trust-related functions in the organization to ensure an in-time reaction and the minimum possible impact.
编者按: Watch ISACA's 克里斯Dimitriadis and Scott Reynolds discuss the latest Log4Shell updates in this ISACA直播视频.
