The evolution of enterprise software has generated tremendous value for developers and the organizations they serve. At one time, software development was a monolithic process, requiring the coding of all the underlying infrastructure before an application could be developed. Today there are many commercial and open-source components available to create a foundation that enables developers to concentrate on differentiated application value on top.
That also means that many components are used in myriad applications, from small internal solutions to popular public applications. That’s a risk from a security perspective, since a vulnerability in a popular component or library can have tremendous impact – as was seen in the 2014 Heartbleed memory bug in the popular OpenSSL implementation of TLS, and the 2017 remote code execution bug in Apache Struts that led to a major data breach at Equifax, among others impacted.
Unfortunately, it has happened again with a remote code execution bug in Apache Log4j, a popular Java-based logging system that’s been integrated into countless custom solutions. On December 09, 2021, a zero-day vulnerability was disclosed resulting in the creation of CVE-2021-44228, a.k.a. Log4Shell. This vulnerability has a CVSS score of 10, the most severe rating, due to both its simplicity and ubiquity. Apache has released a fix to disable the necessary behavior in its current release, Apache Log4j version 2.15.0.
When the Log4j vulnerability was revealed, the NetWitness team launched an immediate investigation into Log4j use within the NetWitness Platform, as well as actions to support its customers in identifying and remediating attempts to exploit the vulnerability in their own environments.
Our investigation found that NetWitness does use Log4j and is therefore vulnerable to attack in specific circumstances, but we are actively developing fixes to eliminate this vulnerability. The risk is mitigated, however, as an attacker must be able to gain access to the NetWitness Platform login screen, and the network must allow outbound LDAP connections from the NetWitness Platform to external sites. Both scenarios are uncommon. Furthermore, NetWitness Platform 11.5 and newer is not vulnerable to remote code execution (although a successful exploit may be able to leak system configuration data).
To help NetWitness customers detect active exploits, NetWitness released a set of rules to detect behaviors that could indicate an attack. Longstanding policy, as a member of the infosec community, means that NetWitness shares this information publicly to assist users of any security tool to protect against this major exploit. We continue to research the ways attackers are targeting this exploit and will similarly publish any new results.
The tremendous interconnectivity of modern software delivers very real benefits in the creation of stable, scalable solutions, and the ability for developers to focus on application logic rather than “plumbing.” Unfortunately, this also means that attacks on widely distributed software components can create high-impact problems for many applications and services simultaneously.
NetWitness stands with our customers and the entire cybersecurity industry in fighting back against attackers of all types. As novel and zero-day attacks like the Apache Log4j occur, we’ll be ready to respond quickly and efficiently.