5 Advices for preventing Remote Code Execution (RCE) | HKT

The recent Log4j vulnerability (CVE-2021-44228) found in Dec 2021, and known as a remote code execution (RCE) vulnerability, has devastated digital systems across the internet. Log4j is a ubiquitous open source Apache logging framework that developers use to keep a record of activity within an application. As it is used by millions of websites and apps, the impact of this can hardly be imagined.

We are already on top of it

While most enterprises are still struggling to make a full vulnerability assessment to identify any affected systems,  our dedicated experts and Next Generation Security Operations Center (NG SOC) have already managed and secured the systems of our customers using our Managed Security Services (MSS) in the following ways:

• The Intrusion Prevention System (IPS) signature was updated automatically, and the IPS systems already started scanning and blocking the malicious attacks from the morning of 11 Dec, 2021.

• Our advanced Next-Generation Anti-malware tool prevented and detected the tactics and techniques being used in CVE-2021-44228; while both of our Security Operations Centers are continuing to actively monitor any further malicious behaviour.

• Assessments of those applications were already built-in internally and are in the process of implementing fixes where necessary.

 
Non-HKT Managed Security Services customers - take these steps immediately

For non-HKT MSS customers, our NG SOC experts suggest taking the follow precautions immediately.

• Update your Intrusion Prevention System (IPS) signature. It’s a good security practice to use the latest patch update.

• For home-grown applications, you may consider the following mitigation(s) as soon as you can:

  1. Set log4j.formatMsgNoLookups or Dlog4j.formatMsgNoLookups to true for Log4j 2.10 or greater;

  2. Use %m{nolookups} in the PatternLayout configuration for Log4j 2.7 or greater; and

  3. Remove JdniLookup and JdniManager classes from log4j-core.jar for all other Log4j 2 versions.

• For commercial off-the-shelf (COTS) products, please check with your vendors what temporary measures you can apply to mitigate risk.

• Restrict the network traffic on firewall, e.g.:

  1. Use %m{nolookups} in the PatternLayout configuration for Log4j 2.7 or greater; and

  2. Remove JdniLookup and JdniManager classes from log4j-core.jar for all other Log4j 2 versions.

• Apache has released Log4j version 2.17.1 that has fixed the vulnerability. All application teams should consider upgrading their application to this new version as soon as they can.

We will be happy to provide more guidance on the precautions and measurements you should take to optimize your security posture, especially if you are facing a shortage of resources and expertise.