What you need to know about the Log4j vulnerability

Since being identified on December 9, the Log4j vulnerability has become a major concern for IT professionals who were forced to suddenly shift from their end-of-year wind down to high alert for potential exploits.

To assuage some of these concerns – and ensure that the Acronis community has the knowledge they need to respond to this vulnerability effectively, Acronis’ cybersecurity and cyber protection experts led a brief informational webinar earlier today. This event – featuring Kevin Reed (CISO), Topher Tebow (Senior Malware Researcher), James Slaby (Director of Cyber Protection) and Collin Apodac (Manager, Solutions Engineering) – drew hundreds of attendees and addressed what the Log4j vulnerability is, how it can pose a threat and the steps businesses can take to protect themselves and their clients.

If you weren’t able to join the webinar, a recording is available below.

Log4j is an Apache Java library that is often added to other applications to handle the logging of data — for example, to text files. It is widely popular since it’s simple to use, so thousands of applications use it. Affected applications include Steam, Minecraft, Blender, LinkedIn, VMware, and many more. The library has been downloaded from GitHub more than 400,000 times.

This Log4j vulnerability — also known as Log4Shell or CVE-2021-44228 — is a critical vulnerability that enables bad actors to initiate unauthorized remote code execution by logging a certain string. This is a textbook example of a tech supply chain vulnerability like those that have impacted Kaseya and SolarWinds.

The vulnerability is a result of Java’s fully object-oriented language, which can be exploited to deliver an executable file that is automatically executed. Attackers can leverage this vulnerability to steal your data, start ransomware reconnaissance and deployment, begin cryptomining operations or add your infrastructure to a botnet. Over the past few days we observed tens of thousands of vulnerability exploit attempts per hour at their peak.

Making matters worse, the time between the actual attempt and the exploit trigger isn’t always immediate. It can be delayed by minutes or hours and, as a result, evade scans performed by the publicly available scanners.

Immediately after learning of the vulnerability, the Acronis team checked the entire scope of products where the log4j library could have been applied to quickly identify where the vulnerability could impact us and our partners and customers, inform those potentially effected and take appropriate steps to ensure protection.

We’re pleased to confirm that all Acronis on-premises products are not vulnerable to this threat and that everything in Acronis Cyber Protect Cloud were mitigated before there was any sign of a successful vulnerability exploitation.

This vulnerability impacts nearly every version of Apache Log4j, from 2.0-beta9 to 2.14.1. The easiest and most effective way to protect your systems is to immediately install the latest Log4j update — version 2.15.0, available now via Apache Logging Services — in which the exploitable behavior in question has been disabled by default.

If, for any reason, you cannot update all relevant systems at the moment, there are a couple of short-term mitigation options available:

·       For admins running Log4j versions 2.10–2.14.1, disable message lookup substitution by setting the log4j2.formatMsgNoLookups system property or the LOG4J_FORMAT_MSG_NO_LOOKUPS environment variable to true.

·       For admins running Log4j versions 2.0-beta9–2.10.0, remove the JndiLookup class from the classpath.

·       Block or monitor all outbound connections, as well as DNS queries from potentially affected servers.

To learn more about this vulnerability be sure to review our Security Advisory or download the presentation from our webinar, available here.