On December 9, a remote code vulnerability called ‘Log4j’ (CVE-2021-44228) was identified in an open-source software tool used by many systems around the world. Relating to Apache, a logging tool used in many Java-based applications to log error messages, Log4j has put millions of servers at increased risk of data exploitation. The vulnerability has been given the maximum severity score of 10/10 and described as “the most critical vulnerability of the last decade”.
Many specific line of business applications from 3rd party vendors will utilise the Log4j library in order to provide web services to end users. This library is integrated into the applications and malicious scanning of internet IP addresses is currently occurring from many sources looking to gain a foothold into your network.
The vulnerability allows an attacker to send a specially crafted message to vulnerable web servers that allows them to subsequently open backdoors into affected systems, potentially stealing data and compromising network security.
This specific attack does not relate to Microsoft based applications and services as these use a Microsoft proprietary web server system called IIS.
In line with recommendations from the Australian Cyber Security Centre (ACSC), we strongly advise that all Australian organisations whose applications utilise the Apache web platform check if Log4j versions prior to 2.15.0 are present and if so, immediately install the latest available version from the software vendor.
The ACSC is monitoring the situation and can provide advice as required. Organisations that have been impacted or require assistance can contact the ACSC via 1300 CYBER1.
For further general information and advice about the Log4j vulnerability, and mitigations, please refer to the Australian Government ACSC website.
Please note this vulnerability specifically impacts Apache web servers that are externally accessible via the internet, and as mentioned is easily exploitable. As such, your software vendors should be working with you directly for patching and remediation requirements as a matter of urgency.
We urge customers to monitor notifications from software vendors and log a ticket with us as soon as notified that an updated version is available. Diamond IT is unable to close this security vulnerability until a patch is released by each vendor whose software is vulnerable to this attack.
For Diamond IT customers with a Unified Threat Management (UTM) Gateway such as a FortiGate installed, please note that we have activated an Intrusion Prevention System (IPS) signature mechanism for this attack and updated settings whilst waiting on further action from your software vendors. This system detects the specially crafted messages attackers use to compromise systems and provides protection from internet based attacks while your software vendors develop a patch. This does not mitigate any attacks that may originate from within your network and is why installing an updated version of your software is still required.
For any questions or for more information on the FortiGate network firewall, please contact your Business Technology Manager.
Diamond IT regularly monitors and reviews threats in the IT landscape and always moves swiftly to protect customer systems and data with the utmost urgency and care. For this specific threat, we have put in place all mitigation strategies possible and stand ready to assist customers with updating their systems as soon as vendors release updated versions of their software.
If you need advice on how you can ensure your cybersecurity strategy is fit for purpose, or if you'd like more information on Diamond IT's security approach including TechOps, our team of cyber security experts are ready to help. Contact our team on 1300 307 907 today.