Introduction
For software developers, it is typical to use open source libraries and code when developing new platforms and software. By using these dependencies, new application development time can be minimized. In other words, why reinvent the wheel when building a car? Previously developed software components can used in conjunction with other previously developed software and your code to create the new application.
The use of open source software in commercial closed source projects depends on its license and is generally allowed. Open source software is community and collaboration-based, whereas propriety software is the property of the developer. This allows for greater flexibility and public review of the code; however, use and understanding of the software often requires expertise given a lack of dedicated support for open source software.
Apache Log4j is under the Apache software license which allows use in proprietary and other open source software with certain stipulations. Log4j is a Java library that enables logging error messages in applications. Log4j is widely used in enterprise software applications, including those custom applications developed in-house by businesses, and forms part of many cloud computing services.
How do you know what software dependencies are used in your environment?
Recently, we have seen vulnerabilities in open source software that have wide-reaching effects on the security of the software used by commercial and government entities. As a result, it is more important than ever to know what software libraries and dependencies, and their versions, are present in your environment. Cisco Secure Workload, previously Cisco Tetration, enables IT administrators to implement application microsegmentation and monitor their current environment.
Cisco Secure Workload collects the following information that can be useful to security teams:
- Host operating system and version
- Network interfaces
- Active processes
- Maps communications between applications showing applicable ports, protocols, and services
- Identifies internal and external dependencies of applications
How can I use Cisco Secure Workload to protect my environment from the Log4J vulnerability or any other zero day vulnerability?
A zero day vulnerability is a security flaw that is present in a software deployment on its first release unbeknownst to its creators. Organizations like MITRE are dedicated to finding and publishing these and other types of Common Vulnerabilities and Exposures (CVEs).
According to the NIST National Vulnerability Database (NVD), CVE-2021-44228 states that the following Apache Log4j2 packages are affected: 2.0-beta9 through 2.12.1 and 2.13.0 through 2.15.0. Apache Log4j is developed by the open source Apache Software Foundation and the library is commonly used for Java logging. The vulnerability has been disabled and subsequently removed in version 2.16.0. Furthermore, this vulnerability affects only log4j-core, not log4net, log4cxx, or any other Apache Logging Services projects.
Cisco Secure Workload provides a zero trust microsegmentation model which monitors workloads while enforcing least privilege communication and restricting lateral movement. Secure Workload can identify Log4j or other vulnerable software packages, as well as processes associated with post-compromise activity based on published indicators of compromise. Secure Workload reports the version of the software as well as the CVE and CVSS severity rating for improved visibility. Furthermore, segmentation policies can be applied to help protect an environment against attack from vulnerable assets.
Now that I’ve identified the workloads with Cisco Secure Workload, how do I protect them?
Fortunately, one of the most difficult aspects of protecting against Log4J is knowing which workloads are affected. Cisco Secure Workload makes that step easy! Now that the applications affected have been identified, the developers of the software can either update to an unaffected version of Log4j or disable the JNDI handler. With visibility into software package versions, system administrators can update vendor software at the vendor’s direction to address the Log4j vulnerability.
Please contact GovSmart to learn more about a Cisco Secure Workload solution and how to best mitigate cyber threats.
Resources:
NVD – CVE-2021-44228 (nist.gov)
Cisco Talos Intelligence Group – Comprehensive Threat Intelligence: Threat Advisory: Critical Apache Log4j vulnerability being exploited in the wild