IA Alert Update: New info for updating Apache Log4j utility to address zero-day vulnerability

Review the following for new information for updating the Apache Log4j utility to address zero-day vulnerabilities. 

• Patch to Log4j version 2.16 wherever possible, as it fully remediates known vulnerabilities.

• Current intelligence indicates that applications using Log4j version 1.x are only vulnerable to CVE-2021-44228 when JNDI is used in their configuration. To mitigate, audit your logging configuration to ensure it has no JMSAppender configured. Log4j 1.x configurations without JMSAppender are not impacted by this vulnerability.

• Log4j version 1.x reached end of life in August 2015 and is still affected by previously disclosed vulnerabilities. If you have applications using Log4j 1.x, please update to the current version of Log4j wherever possible and after appropriate testing. If installations of Lof4j 1.x have been provided as part of vendor software, ensure you are working with your vendor to upgrade.

• If you are unable to update to the current version of Log4j, 2.16.0, there are different mitigation steps for different versions of Log4j 2.x. Complete the appropriate mitigation actions detailed by the Cybersecurity & Infrastructure Security Agency (CISA) at: https://www.cisa.gov/uscert/apache-log4j-vulnerability-guidance 

See the ALERT: Update Apache Log4j utility to address zero-day vulnerability page for full information from the original Alert, including updated Summary and Action Items sections.

ll system owners are required to validate their use of Log4j and determine your vulnerability status. One of the easier ways to do this is to utilize the Tenable vulnerability scanning agent. As we mentioned in our earlier communication, we encourage you to work with IA to get the Tenable vulnerability scanning agent deployed on your systems. The Tenable agent provides the most accurate vulnerability scanning results. Contact Iia.vulnscans@umich.edufor more information on Tenable vulnerability scanning.

Continue to monitor for indications of compromise on systems that may have had a vulnerable version of Log4j at any point since December 1, 2021. Refer to Checking Systems for Signs of Compromise and contact security@umich.edu if there is any reason to suspect a system has become compromised or you need assistance. 

What to monitor:

• Unusually high CPU utilization

• Unexpected processes, system changes, services, network connections, and new users/groups

• Unusual messages in logs

If you have questions regarding this vulnerability or the mitigation actions needed, please contact ITS Information Assurance through the ITS Service Center.

• Apache Log4j Vulnerability Guidance, Cybersecurity & Infrastructure Security Agent (CISA)

• The Log4j security flaw could impact the entire internet. Here’s what you should know, Cnn, 12/15/21

• 1.x end of life, Logging Services

• Download Apache Log4j 2, Log4j, 12/6/21

• RCE in log4j, Log4Shell, or how things can get bad quickly, Internet Storm Center, 12/10/21

• Apache Log4j Security Vulnerabilities, Log4j, 12/6/21

• CVE-2021-44228, Mitre Corporation, 11/26/21