When news breaks of a major security story, like the vulnerability in the open-source Apache logging library Log4j (CVE-2021-44228), vendors and organizations move as fast as they can to understand the issue, determine their exposure, and mitigate the risks.
The Microsoft Security Response Center was quick to release guidance and background on this issue. We continue to update that page as we, and the rest of the infosec community, gain a deeper understanding of the impact of this threat.
In situations like this, organizations that are using Microsoft Defender for Cloud can immediately begin investigations - even before there's a CVE number - with our Inventory tools as shown below.
In addition, our threat detection capabilities have already been expanded to ensure we're surfacing exploitation of CVE-2021-44228 in several relevant security alerts.
Inventory filters
Using inventory, you have two powerful ways to begin determining your exposure across your hybrid and multi-cloud resources:
-
Vulnerability assessment findings - If you've enabled any of the vulnerability assessment tools for your machines (whether it's Microsoft Defender for Endpoint's threat and vulnerability management module, the built-in Qualys scanner, or a bring your own license solution), you can search by a CVE identifier when it's released.
- Software inventory - With the combination of the integration with Microsoft Defender for Endpoint and Microsoft Defender for servers, you can search your resources by installed applications and discover which is running the vulnerable software.
A quick demo of how you'd search for all your resources to see which ones have Log4j installed is shown below. Of course, this doesn't replace a search of your codebase. There's also the possibility that software with integrated Log4j libraries won't appear in this list. But it's definitely helpful for initial triaging when a major incident is unfolding.
Search Azure Resource Graph data
Azure Resource Graph (ARG) provides instant access to resource information across your cloud environments with robust filtering, grouping, and sorting capabilities. It's a quick and efficient way to query information across Azure subscriptions programmatically or from within the Azure portal.
ARG provides another way to query your resource data for resources found to be vulnerable to the Log4j vulnerability:
-
Open Azure Resource Graph Explorer.
-
Enter the following query and select Run query:
securityresources
| where type =~ "microsoft.security/assessments/subassessments"
| extend assessmentKey=extract(@"(?i)providers/Microsoft.Security/assessments/([^/]*)", 1, id), subAssessmentId=tostring(properties.id), parentResourceId= extract("(.+)/providers/Microsoft.Security", 1, id)
| extend Props = parse_json(properties)
| extend additionalData = Props.additionalData
| extend cves = additionalData.cve
| where isnotempty(cves) and array_length(cves) > 0
| mv-expand cves
| where tostring(cves) has "CVE-2021-44228"
| distinct parentResourceId
Learn more
For extensive guidance, workarounds, background, analysis of the vulnerability, and the latest updates, check the continually maintained post on the Microsoft Security Response Center (MSRC) blog.