On December 9, 2021 it was widely announced that a zero-day vulnerability was identified and is already drawing the attention of cyber criminals. A lot has already been written across the internet about the most recent vulnerability in Java’s Log4j utility.  We will do our best to keep this simple and to the point.  If you develop your own applications using Java, you should be working with your development or hosting teams on getting this addressed.  This post is for the rest of you.

This isn’t a clean vulnerability where one blog post from RSM will summarize everything.  We have been monitoring a number of data sources and been in communication with a variety of sources.  At this point it appears that this vulnerability is expected to evolve over the next few months.  So far the exploit has been largely used by crypto miners, but we expect the bad guys to be right behind them.  Our hope is to provide some basics to help you prioritize your remediation strategy and give focus to a situation that can feel overwhelming.  The situation will change, and more vendors will be providing updates by the time you will have read this so please check back for updates.

WHO IS IMPACTED?

Many vendors have issued guidance or statements regarding their software’s impact from this vulnerability. The Netherland’s NCSC has published a comprehensive list on GitHub of which vendors have exposure and at what stage they are with their remediation efforts.  (CISA has created guidance on GitHub as well, but it’s not as developed as NCSC’s list yet.) While this is a rapidly evolving situation, the list is a mix of vendors that have either already deployed fixes, are still researching whether they need to, or have issued workarounds or patches for their software.  Here are just a few examples that illustrate what we’re seeing across the vendor space.

• Palo Alto Networks has stated they’re not susceptible
• VMware has a list of known vulnerable products and have published workarounds for most, patches for some
• Cisco has been updating their status page regularly as they continue their evaluations

Just about every technology vendor has made a statement regarding their exposure, or lack thereof.

HOW ARE YOU POTENTIALLY EXPOSED?

Your largest concern right now should be around internet facing services (i.e., anywhere you’ve opened a firewall rule to allow inbound web services to your network) which should be addressed immediately. This will mean applying a vendor supplied patch, a recommended workaround, or simply shutting the service off until a fix is available (if that’s an option for you). So drop everything and fix it.  Now.

Your second priority should be to inventory internal systems and determine whether any 3^rd party software is vulnerable.  The GitHub list is handy here again.  As these vendors make updates available, you should develop a plan to deploy these as soon as possible.

WHAT SHOULD YOU DO?

While this is a very fluid situation, there are some things you can do now to help minimize the impact to your organization.

• Address your vulnerable internet-facing services immediately.
• Patch them, implement workarounds if no patch is available, or shut them down until a fix is available.
• Inventory your internal systems to determine what you need update as patches are made available.
• Stay informed
• Then, go give your cyber team a hug!

For additional information visit RSM’s Cybersecurity Rapid Assessment to learn how RSM can help you prepare for this evolving threat.

If you believe you may have been affected or compromised, contact the RSM Cyber Response team.

Authored by Corey Weeklund (Corey.Weeklund@rsmus.com)