A remote code execution (RCE) vulnerability in the highly popular Java logging library log4j is taking the world by storm. It will likely be the most talked about vulnerability of the year 2021, due to the widespread presence of this open-source library. Networks are already reporting a large spike in the number of exploit attempts so we recommend taking action immediately to prevent any breaches.
About the Log4J vulnerability
There are plenty of high-quality analyses describing the vulnerability. We recommend:
Automatic detection of Log4J CVE 2021-44228
Hdiv Detection (IAST) automatically finds the presence of this vulnerability in the applications. In fact, we provide two redundant features that will help your team finding and fixing this problem:
Hdiv automatic injection detection
The log4j vulnerability has an injection weakness at its core. Essentially, untrusted data from the request reaches log4j, which processes this input without proper sanitization. Our taint-tracking technology follows all data during execution, so we can effectively find this zero-day without any customization.
Hdiv Software Composition Analysis (SCA)
Hdiv Detection includes SCA capabilities that detect CVE vulnerabilities within open-source libraries like log4j. The CVE-2021-44228 is under revision and will be published in a few days. Once it has been published, Hdiv will identify the applications affected by this new CVE, even when the dependency is of second-order (dependency of a dependency).
Hdiv protects from Log4J CVE 2021-44228 automatically
Hdiv Protection (RASP) provides automatic protection from the CVE 2021-44228 with an ensemble of three protection features involved:
Untrusted Deserialization:
The log4j CVE-2021-44228 vulnerability exploitation requires an untrusted deserialization operation in order to load the malicious class from an external server and execute it in the victim server. Hdiv RASP blocks Untrusted Deserialization attacks automatically.
Microsegmentation:
The Hdiv Protection (RASP) microsegmentation feature monitors and blocks remote calls from the server to any untrusted third-party server. In the log4j vulnerability, the exploit loads a class that contains the executable code from a malicious server controlled by the attacker. Hdiv RASP prevents this remote call.
Arbitrary Code Execution:
The Hdiv Protection (RASP) Arbitrary Code Execution rule monitors and blocks operating system command execution. It is based on whitelisting the available functions, if any, so it will prevent any command execution within the JVM, including the RCE at the core of the exploitation of the log4j vulnerability.
We are ready to help mitigating the Log4J vulnerability
We are ready to help your team eliminate the exposure to this serious vulnerability. Please contact us and we will provide any additional details and next steps.