How to detect exposure and exploitation of Log4Shell
The series of vulnerabilities discovered in the past few weeks in the widely used open-source Java component Log4j continue to occupy enterprise security teams. Although remediation of the affected library is the priority, identifying all affected applications and servers on large networks is not straightforward due to indirect software dependencies and third-party products.
The problem is, the longer it takes organizations to find potentially exposed assets, the more time attackers have to find and exploit them. Various groups of attackers are currently exploiting remote code execution loopholes, ranging from state-sponsored cyber espionage actors to ransomware groups, cryptocurrency mining and DDoS botnets.
It is therefore essential that organizations not only identify vulnerable assets and implement a mitigation strategy, which may be different for each case, but also look for indicators of attempted compromise and exploitation in their servers and logs. ‘application.
Detection of vulnerable applications and servers
The security community has developed and released several open source tools that can be used to scan directories and file systems for vulnerable Log4j package instances, and commercial vulnerability scanners have also added detection of this. vulnerability. However, all scanners can have blind spots and this is especially true when it comes to Java components like lLog4j.
First, while many Java packages are provided as Java ARchive (JAR) files, it is not the only format used for deploying Java applications. There is also TAR (Uncompressed Tape Archive), WAR (Web Application Archive), EAR (Enterprise Application Archive), SAR (Service Application Archive), PAR (Portlet Archive), RAR (resource adapter) and KAR (Apache Karaf archive).