‘Vaccine’ against Log4Shell vulnerability has potential—and limitations

A “vaccine” against the Log4Shell vulnerability appears to offer a way to reduce risk from the widespread flaw affecting servers that run Apache Log4j. The script was developed by researchers at security vendor Cybereason and released on Friday evening, following the disclosure of the critical zero-day vulnerability late on Thursday.

The Log4Shell vulnerability affects Apache Log4j, an open source Java logging library deployed broadly in web servers and the services that run on them. The flaw is considered highly dangerous since it can enable remote code execution (RCE)—in which an attacker can remotely access and control devices—and is seen as fairly easy to exploit, as well. Log4Shell is “probably the most significant [vulnerability] in a decade,” and may end up being the “most significant ever,” Tenable CEO Amit Yoran said Saturday on Twitter.

Widespread vulnerability

According to W3Techs, an estimated 31.5% of all websites run on Apache servers. The list of companies with vulnerable infrastructure reportedly includes Apple, Amazon, Twitter, and Cloudflare. Vendors including Cisco, VMware, and Red Hat have issued advisories about vulnerable products.

“This vulnerability, which is being widely exploited by a growing set of threat actors, presents an urgent challenge to network defenders given its broad use,” said Jen Easterly, director of the federal Cybersecurity and Infrastructure Security Agency (CISA), in a statement posted Saturday.

The vulnerability has impacted version 2.0 through version 2.14.1 of Apache Log4j, and organizations are advised to update to version 2.15.0 as quickly as possible.

Supplement to patching

But patching can be a time-consuming process. To supplement patching efforts, Cybereason says its script—which it calls “Logout4Shell”—has the potential to “immunize” vulnerable servers, providing protection against attacker exploits that target the flaw.

“You should still update your Apache systems to permanently remediate the vulnerability, but patching takes time, and some systems may not be able to be updated immediately—or at all,” said Yonatan Striem-Amit, cofounder and chief technology officer at Cybereason, in the blog post.

The Logout4Shell “vaccine” essentially buys security teams some time while they can roll out patches to systems. “This fix will disable the vulnerability and allow you to remain protected while you assess and update your servers,” Striem-Amit wrote.

Cybereason has described the fix as a “vaccine” because it works by leveraging the Log4Shell vulnerability itself.

“The fix uses the vulnerability itself to set the flag that turns it off,” Striem-Amit wrote. “Because the vulnerability is so easy to exploit and so ubiquitous—it’s one of the very few ways to close it in certain scenarios.”

Additionally, the Cybereason fix is “relatively simple” because only basic Java skills are required to implement it, he wrote.

Potential to help

Casey Ellis, founder and chief technology officer at bug bounty platform Bugcrowd, told VentureBeat that the Cybereason fix “appears to be genuine and has the potential to assist security teams.”

Ellis said that due to the complexity of regression testing Log4j, “I’ve already heard from a number of organizations that are pursuing the workarounds contained in the Cybereason tool as their primary approach.”

“It remains to be seen whether many enterprises choose to exploit the vulnerability itself in order to achieve this,” he said. “But I would expect at least some to use the tool selectively and situationally.”

Limitations

There are some limitations for the Cybereason fix, however.

For one thing, the mitigation does not work prior to version 2.10 of Log4j. It also requires a restart, and the exploit must fire properly in order to be effective, Ellis said. “And even when it does run properly, it still leaves the vulnerable code in place,” he said.

Still, “this strikes me as a very clever ‘option of last resort,’” Ellis said. “Many organizations are currently struggling to inventory where Log4j exists in their environment, and updating a component like this necessitates a dependency analysis in order to avoid breaking a system in the pursuit of fixing a vulnerability.”

All of this “adds up to a lot of work. And having a ‘fire and forget’ tool to clean up anything that may have been missed at the end of it all seems like a scenario that many organizations will find themselves in, in the coming weeks,” he said.

Ultimately, “I see this as a potential supplement rather than a replacement,” he said of the Cybereason fix. “It’s critical to understand that this isn’t a solution – it’s a workaround with a number of limitations. It has intriguing potential as a tool in the toolbox as organizations reduce Log4j risk, and if it makes sense for them to use it, one of the primary reasons will be speed to risk reduction.”

VentureBeat

  • up-to-date information on the subjects of interest to you
  • our newsletters
  • gated thought-leader content and discounted access to our prized events, such as Transform 2021: Learn More
  • networking features, and more

Source: Read Full Article