An industry-wide vulnerability was disclosed in early December in an open-source Java logging component (known as Log4j) and identified by CVE-2021-44228. This component is included in many software and server applications and this vulnerability is listed as critical due to the existence of known exploits already in the wild. As a remote code execution vulnerability, exploitation can be used to carry out a range of actions including:
- Deployment of ransomware
- Deployment of botnets
- Deployment of remote access tools
- Deployment of further attack tools
RM’s Products and Systems
RM is actively assessing our products and supply chains for vulnerability, and at this stage our analysis confirms that none of RM’s products and services are believed to be vulnerable.
Customer Guidance
Customers are urged to review their current IT systems and act accordingly to ensure that they are protected. This should include reviewing systems under your direct control in addition to checking partners in your supply chain to verify that they too have taken action, if necessary.
RM has published some general guidelines here: RM advice about the 'Log4j 2' (December 2021) vulnerability (CVE-2021-44228) and this article will be updated as more information is released by individual vendors.
Customers should follow these steps:
- Assess your IT systems and contact suppliers to understand where you may be vulnerable
- Patch affected software and server applications as and when these become available
- If a patch is not available, then consult your supplier for known mitigations. These may be configuration changes to specific applications or network changes (please see here, for a list of vendor notifications created by the Dutch National Cyber Security Centre)
For example, to all Windows devices you can deploy an environment variable as a mitigation. We have provided links in the guidelines above to Microsoft’s documentation, and suggest starting with servers (particularly public facing) to provide some initial protection. If you are unable to patch a vulnerable system, particularly public facing, then you may need to make a risk-based decision as to whether or not it is safer to shut the system down.
For environments with logging capability, we recommend checking those logs for indicators of compromise to help inform that decision. Details on specific log items to search for are available from NCC Group’s live incident blog.
Conclusion
There is ongoing and evolving concern for a wide range of systems and organisations globally, meaning the situation may be subject to change. We will continue to work with vendors and supply chains, in addition to continually assessing our own systems, and will provide an update if the situation changes.
For more information, speak to your RM Account Manager.