This article will discuss information pertaining to the Log4j Remote Code Execution (RCE) vulnerability, and steps that Cato have taken to ensure that our customers stay protected.
This article pertains to CVE-2021-44228 which has been assigned a base CVSS score of 10.0 (CRITICAL)
Cato is currently assessing the impact that this vulnerability has on our customer base, and this article will be updated as the situation progresses.
Background and Impact
A flaw was found in the Java logging library Apache Log4j 2 in versions from 2.0-beta9 to 2.14.1. This could allow a remote attacker to execute code on the server if the system logs an attacker-controlled string value with the attacker's JNDI LDAP server lookup.
This exploit would allow attackers to execute malicious code on Java applications, and as such, it poses a significant risk due to the prevalence of Log4j across the global software estate.
This issue appears to only affect log4j versions between 2.0 and 2.14.1. In order to exploit this flaw you need:
- A remotely accessible endpoint with any protocol (HTTP, TCP, etc) that allows an attacker to send arbitrary data,
- A logging statement in the endpoint that logs the attacker-controlled data.
Due to the existence of JMS Appender which can use JNDI in the log4j 1.x, it is possible that log4j version 1.x is also affected by this vulnerability. The impact is still under investigation by security researchers.
What is Cato doing?
The Security Analysts at Cato Networks are working tirelessly to identify, pinpoint and mitigate any potential vulnerability or exposure that our customers may have to this threat.
- 9th December 2021: The security community became aware of active exploitation attempts in the Apache Log4j software.
- 10th December 2021: Cato Networks identified the traffic signature associated with this exploit and started actively monitoring our customer base.
- 11th December 2021: We have implemented a global blocking rule within our IPS for all Cato Customers to mitigate this vulnerability.
The Cato Cloud infrastructure is not believed to be vulnerable to this exploit at this time.
What do I need to do?
- If you have the Cato IPS enabled, we will be actively blocking the traffic signature of this vulnerability automatically. No patching or updates to the Cato platform is required.
- The Cato SDP Client, Cato Sockets, Cato vSockets do not use Apache Log4j.
- It is recommended that any customer using Apache products should follow the vendor's continued advisory.
IPS Events will be generated within the Cato Management Application indicating block actions for this CVE. For example:
This situation is currently evolving within the IT landscape, and Cato Networks is actively monitoring and investigating the situation to ensure our customers remain protected.