Which AV Products Are Easy Targets For the Log4j Vulnerability?
The ongoing Log4j vulnerability has left a number of AV and IT products at risk, including many that commercial and residential integrators may use.
Multiple governments’ cyber agencies have released a long list of technology vendors and their products that are impacted by the Log4j vulnerability. They include the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Dutch National Cyber Security Centrum (NCSC).
The two agencies are maintaining running lists of vendors impacted by the vulnerability on their respective GitHub repositories. These lists includes the name of the vendor, the product impacted and information about security patches. There are also links back to the vendor’s security advisory.
As of Wednesday afternoon, the CISA repository listed more than 500 products from manufacturers. There are lists products that are affected, under investigation or not affected. Read more about CISA’s recommendations on this major issue here.
The NCSC has a much more comprehensive list of about 1,900 products and their vulnerability status. However, not all vendors listed have vulnerable products.
Both lists also offer information about workarounds and temporary mitigations while the solutions are patched.
Prominent vendors are appearing on these lists. They include Cisco, VMWare, Amazon, IBM, Fortinet, Microsoft, Splunk, Sophos and Red Hat. Others of the largest enterprise technology providers in the world are present, too.
- CISA repository: https://github.com/cisagov/log4j-affected-db
- NCSC repository: https://github.com/NCSC-NL/log4shell/tree/main/software
Both of those resources list some AV-aligned vendors. However, we recommend also checking out this Reddit post.
In addition, individual manufacturer pages can provide more detailed information.
Widespread Exploitation Attempts
Because of the broad vulnerability across the entire IT ecosystem, coupled with the simplicity of this exploit, attackers have pounced at the opportunity to leverage this for a variety of purposes. Those include cryptojacking, ransomware and other attack methods.
According to cybersecurity provider Check Point, the company has seen an attempted exploit on 46% of global corporate networks The firm’s software has helped prevent over 1.8 million attempts to exploit the vulnerability.
What’s especially concerning, however, is that known threat actors are responsible for nearly half of those attempts. Those include perhaps nation-state actors and other sophisticated groups. Such groups typically have access to more resources and advanced tools.
Attacks leveraging this vulnerability have also rapidly escalated, with attacks nearly doubling between Dec. 11 and Dec. 13, according to Check Point’s data.
The global average of corporate networks being attacked via this vulnerability is about 46%. However, some countries have seen over 60% of corporate networks impacted.
What’s even more concerning is the type of organization being attacked. According to Check Point, at least 55% of internet service providers, managed service providers, value-added resellers and other third-party tech service providers have reported being attacked.
As is often the case, those kinds of organizations represent valuable hacking targets. The reason is they likely hold the keys to the networks of thousands of additional organizations.
Another Log4j Security Update
Apache quickly released Log4j version 2.15.0 in a security update to address the main vulnerability that was exposed last week. But the foundation this week released another update, 2.16.0. It addresses a remote denial-of-service vulnerability in certain non-default configurations.
Organizations are advised to apply the new update immediately.
According to The Apache Foundation, 2.15.0 restricts JNDI LDAP lookups to localhost by default. However, 2.16.0 disables access to JNDI by default and lookups now need to be enabled explicitly.
The update limits the protocols by default to only Java, LDAP and LDAPS. It also limits the LDAP protocols to only accessing Java primitive objects. Hosts other than the local host need to be explicitly allowed, the organization says in an advisory.
This article originally appeared on our sister publication Commercial Integrator‘s website.
