ITS Information Assurance Advisory: Update to version 2.17.0 Apache Log4j

02/22/2023

A zero-day exploit that was originally communicated through an IA Alert on December 10, 2021 is affecting the Apache Log4j utility that could result in remote code execution. This remains an active threat. 

 

This message is intended for U-M owners of systems that are at risk of attack due to the vulnerability in the Apache Log4j utility.

IMPORTANT UPDATE: US healthcare organizations, including those in the public health sector, are being targeted again by threat actors looking to exploit this zero day vulnerability. If you have not done so, update Log4j to version 2.17 as soon as possible to disable the vulnerable features of log4j.

PROBLEM: Log4j is a Java-based logging library maintained by the Apache Software Foundation. According to the Cloudflare Blog, “In the affected Log4j versions, Java Naming and Directory Interface (JNDI) features used in configuration, log messages, and parameters can be exploited by an attacker to perform remote code execution. Specifically, an attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.”

AFFECTED VERSIONS: Apache Log4j 2.0-beta9 up to 2.16.0

ACTION ITEMS: 

  • Update to version 2.17.0 Apache Log4j or later after appropriate testing

  • Log4J is embedded in a large number of commercial software applications. Be aware of any vendor updates for these packages and apply patches as quickly as possible.

THREATS: Exploit code is publicly available, widespread scanning for vulnerable systems is occurring, and this vulnerability is being exploited actively in the wild.

TECHNICAL DETAILS: For details, see Apache Log4j Security Vulnerabilities.

HOW WE PROTECT U-M: 

  • The impacted systems are identified through the Tenable vulnerability scanning agent. We encourage you to work with IA to deploy the Tenable agent to all of your systems. The Tenable agent provides significantly more efficient, accurate, and complete vulnerability scanning results than can be provided with remote network scanning. Submit a ticket to the ITS Service Center with attention to ITS-IAPROACTIVE-Security to begin deployment of the Tenable agent on your unit’s systems.

  • ITS provides CrowdStrike Falcon to units, which should be installed on all U-M owned systems (Windows, macOS, and Linux operating systems, whether workstations or servers). Falcon administrators in ITS and in U-M units use the Falcon console to investigate and remediate issues.

INFORMATION FOR USERS:  

In general, the best protection for your devices is this: keep your software and apps up-to-date, do not click suspicious links in email, do not open shared documents or email attachments unless you are expecting them and trust the person who sent them, and only use secure, trusted networks. For more information, see Phishing & Suspicious EmailSecure Your Devices, and Secure Your Internet Connection on the U-M Safe Computing website.

QUESTIONS, CONCERNS, REPORTS: Please contact ITS Information Assurance through the ITS Service Center.

Sincerely,

ITS Information Assurance

REFERENCES: