Five Best Practices for an Incident Response Plan
Use these five best practices to create or update an IT security incident response plan.
Mitigate Exploit Attempts with US Signal - Apache Log4J Vulnerability
Website Application and Security Service Resists Apache Log4J Vulnerability
It’s not just by luck or coincidence that customers who use US Signal’s Website and Application Security (WaAS) service are protected against the zero-day exploit affecting the popular Apache Log4j utility (CVE-2021-44228 and CVE-2021-45046).
Log4J is a powerful Java-based logging library maintained by the Apache Software Foundation.
In all Log4J versions >= 2.0-beta9 and <= 2.14.1 JNDI features used in configuration, log messages, and parameters can be exploited by an attacker to perform remote code execution. Specifically, an attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.
In addition, the previous mitigations for CVE-2021-22448 as seen in version 2.15.0 were not adequate to protect against CVE-2021-45046.
CloudFlare, the US Signal technology partner that provides the web application firewall (WAF) integrated into our WaAS service, deployed three new rules to help mitigate exploit attempts:
In addition to the rules above, Cloudflare also released a fourth rule that will protect against a much wider range of attacks. Since this fourth rule incurs a higher false-positive rate it has not set it to BLOCK by default
The rules don’t “fix” the vulnerability, but they do prevent it from being exploited -- and help reinforce the peace of mind that US Signal’s WaAS is meant to deliver.
When you contract for a security service like WaAS, you expect it’s going to provide the protection it promises. You also expect the technical expertise from US Signal to adapt to new threats and to keep you informed.
Unfortunately, even the most comprehensive, robust services can fall prey to cyberattacks. That’s why it’s important to us at US Signal to partner with technology companies like Cloudflare that take a proactive approach to security and immediately respond when vulnerabilities are discovered, or exploits are successful.
New WaAS Price: Now only $400 MRC (previously $800 MRC)
More Recommendations
Cloudflare is continuing to share its knowledge and resources to combat the Log4j vulnerability on all fronts, which we want to make sure our customers are aware of as well. Cloudflare has instructed anyone using Log4j to update to version 2.16.0 as soon as possible. The latest version is available on the Log4j download page. For those unable to update to the latest version, the vulnerability can be mitigated by removing the JNDILookup class from the classpath. The issue can also be mitigated on Log4j versions >=2.10 by setting the system property log4j2.formatMsgNoLookups or the LOG4J_FORMAT_MSG_NO_LOOKUPS environment variable to true.
In addition, because many Cloudflare customers consume their logs using software that uses Log4j, the company is also mitigating any exploits attempted via Cloudflare Logs. That includes setting up an ‘opt-in’ sanitization program for Cloudflare Logs by replacing the string `\$\{` with `x{` everywhere it appears.
It is strongly recommended patching Log4j as soon as possible.
You’ll find more information on Cloudflare’s efforts in these blogs:
· Actual CVE-2021-44228 payloads captured in the wild
· How Cloudflare security responded to Log4j 2 vulnerability
· Protection against CVE-2021-45046, the additional Log4j RCE vulnerability
The second one is particularly informative because it also discusses the effectiveness of Cloudflare’s defense in-depth approach, something we’re always recommending to our US Signal customers.
Read now: 10 Tips for Cloud Security
US Signal’s Efforts Continue
As noted in our previous blog on the Apache Log4J vulnerability, we continue to work with our partners and vendors to evaluate the threats it poses and to prevent or mitigate future exploits. We’ve already implemented security controls to protect our own IT systems as well as the services we provide our customers. That includes ensuring enhanced IPS rules are in place, enabling web-application-firewall protection rules, and using threat intelligence to enable firewall block-listing.
We’re committed to ensuring the security of all US Signal services and helping our customers fortify their IT security as well. We’ll keep you up to date on our ongoing efforts, including new and updated products and services and our own internal efforts. You can learn more about our portfolio of IT security services here. If you’re interested in how we can help boost your IT security efforts, let us know.
Call (866) 274-4625 or email [email protected].
Related Blog Posts
Expand from Network Security to Cloud Security
Learn how to expand from on-prem network security to cloud security with these best practices and resources.
Safer Internet Day Starts with Strong IT Security
Safer Internet Day offers a reminder of steps your organization can take to enhance its IT security and combat DDoS attacks and other forms of cybercrime.