Answers to FAQs on the Apache Software Vulnerability
As we monitor this situation, our task force has put together some commonly asked questions regarding the recent Log4j Vulnerability and how it impacts your credit union. We hope that this information is helpful and should your team have questions, we are here to help.
FAQs:
Does my endpoint protection need to be updated for this? Though it is always a good idea to keep endpoint/malware protection updated, this is not a vulnerability that affects the endpoints or workstations. This is a vulnerability that is exploited at the edges of the network and targets servers and other systems.
Can I block this at the Firewall IDS/IPS? Edge device vendors such as Palo Alto Networks have published signatures to look for and block this traffic. However, this traffic is typically encrypted and may not be inspected. Pure IT has contacted all Managed Firewall customers requesting an Emergency Change Order to allow us to enable Inbound Decrypt on the devices we have under management to monitor for this vulnerability in encrypted traffic.
Is my Veeam backup affected? At this point, there are no known vulnerabilities in the Veeam products. https://www.veeam.com/kb4254
Are my Dell switches affected? Dell asserts that Dellnetwork OS 9 and 10 are not vulnerable. See https://www.dell.com/support/kbdoc/en-us/000194414/dell-response-to-apache-log4j-remote-code-execution-vulnerability
Are my Dell iDRAC affected? Dell asserts that iDRAC Service Module is not vulnerable. See https://www.dell.com/support/kbdoc/en-us/000194414/dell-response-to-apache-log4j-remote-code-execution-vulnerability
Is Lionguard affected? Lionguard asserts that their tools are not affected. https://insights.liongard.com/faq-apache-log4j-vulnerability
Is Auvik affected? Auvik found that they had some tools that were affected and has since resolved that vulnerability. As a cloud-based solution, this provides the fix across all clients. https://status.auvik.com/incidents/58bfngkz69mj
Is ConnectWise affected? For the Cloud-Based deployments like what we use at Pure IT, ConnectWise was unaffected. For those with onsite instances, ConnectWise provided a workaround to turn off the affected services. As of 12/21/2021 they are testing a patch with intention to roll it our shortly. https://www.connectwise.com/company/trust/advisories?mkt_tok=NDE3LUhXWS04MjYAAAGBXjGOR9bMyJSefbkkQjZSApYjwp6ZZJm2eKNVc54Fe6U8HUuzmjYENnqu3CVoi7_7epZkQrkDtVW2Gby2uHIi9dvjBoX7517DNwTCp4XOXBs5
Is BitDefender affected? BitDefender’s products are unaffected by the vulnerability. https://businessinsights.bitdefender.com/security-advisory-bitdefender-response-to-critical-0-day-apache-log4j2-vulnerability
Are my HP products affected? HP has a very extensive line of equipment and systems. Those items that have been inspected and found NOT vulnerable is available at https://support.hpe.com/hpesc/public/docDisplay?docId=emr_na-a00120086en_us. Those products not on this list are either vulnerable or still under investigation.
Are Microsoft products affected? There are a small number of Microsoft products that are affected by this vulnerability. Microsoft has fixes to resolve this issue. Details are available at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-44228. There are also some details of steps that can be taken to further enhance the security even when Microsoft’s tools are not vulnerable. These are available at https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2/
Is Microsoft Azure AD affected? Though not directly affected, many other tools can use Azure AD for authentication. If you use Azure AD for Single Sign On within your environment, Microsoft is recommending some steps to help mitigate potential bad actors at https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2/#Microsoft-Azure-AD
Is my VMware environment affected? There are several vulnerabilities in the VMware products. For clients with VMware under management by Pure IT, we have contacted clients that have these packages installed and are implementing workarounds or patches as available and appropriate. For more details, see VMware’s response at https://kb.vmware.com/s/article/87068
Is my Checkpoint Firewall affected? Checkpoint asserts that they are not vulnerable. See more info at https://blog.checkpoint.com/2021/12/11/protecting-against-cve-2021-44228-apache-log4j2-versions-2-14-1/
Are my Fortinet products affected? Fortinet has provided a guide on their products that are affected and not affected at https://www.fortiguard.com/psirt/FG-IR-21-245
Are my Aruba products affected? Only the Aruba Silver Peak Orchestrator and legacy GMS products are affected. All other Aruba products are not vulnerable. See https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2021-019.txt
What other patches or workarounds need to be put in place? Pure IT staff have reached out to all clients that have affected systems to implement workarounds or patches where available. If you think of other systems that you have in place, check the CISA or NCSC-NL repositories to validate the status.
Background:
The recent log4j vulnerability affects many, many software applications. In the CVSS scoring scale on how vulnerabilities are ranked, it is a 10.0 out of 10.0 placing it at the highest possible level of criticality. Log4j is a Java logging library that is widely used. To try to give some scale, Oracle’s Java website states that “millions of developers [run] more than 51 billion Java Virtual Machines worldwide.” As a Java library, log4j is used in a vast amount of software and applications from Apple to VMware.
This library is provided by Apache and they patched the library very quickly. They have since patched it twice more after discovering further issues. For those companies that use the library, the issue is not as simple as just replacing the library, the way the library is used before it is built into the software has to change. This prolongs the process of creating a patch and getting that through testing and release.
Vulnerability Information
If you would like further detailed info, CISA has created a website to provide guidance on this vulnerability.
Both CISA and the NCSC-NL have GItHub Repositories to keep track of the updates from each vendor.
Access real-time updates and information regarding Log4j and your credit union here: https://pureitcuso.com/faq-log4j-vulnerability/