When news breaks of a major security story, like the vulnerability in the open-source Apache logging library Log4j (CVE-2021-44228), vendors and organizations move as fast as they can to understand the issue, determine their exposure, and mitigate the risks.
The Microsoft Security Response Center was quick to release guidance and background on this issue. We continue to update that page as we, and the rest of the infosec community, gain a deeper understanding of the impact of this threat.
In situations like this, organizations that are using Microsoft Defender for Cloud can immediately begin investigations - even before there's a CVE number - with our Inventory tools as shown below.
In addition, our threat detection capabilities have already been expanded to ensure we're surfacing exploitation of CVE-2021-44228 in several relevant security alerts.
Using inventory, you have two powerful ways to begin determining your exposure across your hybrid and multi-cloud resources:
A quick demo of how you'd search for all your resources to see which ones have Log4j installed is shown below. Of course, this doesn't replace a search of your codebase. There's also the possibility that software with integrated Log4j libraries won't appear in this list. But it's definitely helpful for initial triaging when a major incident is unfolding.
Search Azure Resource Graph data
Azure Resource Graph (ARG) provides instant access to resource information across your cloud environments with robust filtering, grouping, and sorting capabilities. It's a quick and efficient way to query information across Azure subscriptions programmatically or from within the Azure portal.
ARG provides another way to query your resource data for resources found to be vulnerable to the Log4j vulnerability:
Open Azure Resource Graph Explorer.
Enter the following query and select Run query:
| where type =~ "microsoft.security/assessments/subassessments"
| extend assessmentKey=extract(@"(?i)providers/Microsoft.Security/assessments/([^/]*)", 1, id), subAssessmentId=tostring(properties.id), parentResourceId= extract("(.+)/providers/Microsoft.Security", 1, id)
| extend Props = parse_json(properties)
| extend additionalData = Props.additionalData
| extend cves = additionalData.cve
| where isnotempty(cves) and array_length(cves) > 0
| mv-expand cves
| where tostring(cves) has "CVE-2021-44228"
| distinct parentResourceId
For extensive guidance, workarounds, background, analysis of the vulnerability, and the latest updates, check the continually maintained post on the Microsoft Security Response Center (MSRC) blog.