Log4j vulnerability (CVE-2021-44228)
The current log4j security vulnerability threatens the IT infrastructure of numerous companies and private users. The Federal Office for Information Security (BSI) has raised the threat level to red, the highest warning level.
Why is the problem so big?
Log4j is a popular logging library for Java applications. This third-party library is widely used by numerous services and applications to log events. It is currently unclear exactly where Log4j is deployed. This critical vulnerability therefore potentially affects all internet-accessible Java applications that use Log4j to log parts of user requests.
A central overview can be found here and is constantly updated: https://gist.github.com/SwitHak/b66db3a06c2955a9cb71a8718970c592?fbclid=IwAR24gdg6jQ1cE72sXp61Btx69z-lZQNV__OV8oBkPBlF2oJKE_q7MfFfTiY
What exactly happens?
A huge number of servers, services, and applications are affected. Hackers are actively exploiting the zero-day vulnerability and conducting extensive scans to identify and compromise affected systems. The BSI (Federal Office for Information Security) can confirm such scanning activities.
In addition to successful compromises using cryptominers, [3602021] provides initial indications that the vulnerability is also being exploited by botnets. It is highly likely that attacker activity related to this vulnerability will increase significantly in the coming days.
What can I do?
The vulnerability affects versions 2.0 through 2.14.1. The Apache Project has closed the security gap with the short-term release version 2.15. Please update your devices if necessary.
Check out the websites linked above and research all the manufacturers you work with. You should consider open communication with your (business) customers.
Are the SYNAXON Managed Services systems affected?
Of course, we have been in contact with our manufacturers since the security vulnerability became known. Numerous manufacturers have already reacted to the threat and patched their systems over the weekend.
Here is an overview of all our systems:
| SYNAXON Managed Services Product | Product affected: Yes/No |
| Monitoring & Management (N-able) | Update from N-able: https://status.n-able.com/2021/12/10/apache-log4j-vulnerability-updated-6-p-m-est-december-10-2021/ Not susceptible to: Backup, Take Control, Passportal RMM: N-able has assessed the risk within RMM and provided patches for all potentially vulnerable components. |
| Managed Endpoint Protection (ESET) | https://forum.eset.com/topic/30691-log4j-vulnerability/ “Log4j is not used in our products, therefore they are not affected by this vulnerability.” |
| Managed Backup (Acronis) | Not affected |
| Managed Email Archiving (Mailstore) | Not affected https://www.mailstore.com/de/blog/mailstore-schwachstelle-log4shell-betroffen/ |
| Managed Firewall (Network Box) | Not affected |
| Managed Antivirus (Bitdefender) | Remedial measures have been implemented: https://businessinsights.bitdefender.com/security-advisory-bitdefender-response-to-critical-0-day-apache-log4j2-vulnerability |
| Managed Office | https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2/ |
| Internal systems (SMS dashboard, customer billing, sales opportunity report, …) | All systems were checked and patched. |
How can I protect myself / my customers?
If you have compromised systems yourself, these must of course be updated immediately.
However, the result of successful attacks (see above) is far more important. Therefore, ensure that all your customers have up-to-date endpoint protection installed, that their firewalls have been updated if necessary, and that your customers are made aware of the issue.
Does the SYNAXON Managed Firewall provide protection?
The manufacturer has implemented corresponding IDS and IPS signatures on all Network Box systems and is currently working on suitable WAF signatures.
Are there scripts for SYNAXON monitoring?
A script review has been provided. The blog post is... here to find.
What happens next?
Since many questions remain unanswered regarding this security vulnerability, this article can only provide initial guidance. We will update and add to this information as new information becomes available.
Useful links
IT Business Articles:
BSI report:
N-able Updates:
ESET:
https://forum.eset.com/topic/30691-log4j-vulnerability/
Huntress Blog:
https://www.huntress.com/blog/rapid-response-critical-rce-vulnerability-is-affecting-java
Update 13.12.21, 17:00
Our partner, CosH Consulting GmbH, has released a template for customer communication regarding Log4j for free use and adaptation:
Update 14.12.21 09:30
SYNAXON Academy has organized a free informational webinar for our partners with Thomas Wittmann (security expert and former hacker) on Thursday, December 16th, from 1:30 PM to 2:00 PM. He will explain the risks, detection, and prevention options for this new attack and answer questions. If you are interested, you can register via this link: https://events.synaxon.de/events/37968
Update 14.12.21 10:00
Update from N-able – We have assessed the risk within RMM and provided patches for all vulnerable components starting at 4:00 PM EST on December 10th.
Update 15.12.21 12:07
Update from ESET: "As of December 11th, the Network Attack Protection feature in ESET security products on Windows was updated to detect the vulnerability. ESET has been blocking attempted attacks from 14:24 CET the same day."„
https://support.eset.com/en/alert8188-information-regarding-the-log4j2-vulnerability
Update 15.12.21 18:18
Mailstore update: "Our products are NOT affected."„
The table has been updated with the link to the statement.
Update 20.12.21 10:44
Internal systems update: "All systems have been checked and patched"„
The table has been updated. Addendum to the monitoring review.