Dec 12 2021 12:38 PM - edited Dec 21 2021 12:55 PM
Microsoft is investigating the remote code execution vulnerability related to Apache Log4j (a logging tool used by many Java-based applications) disclosed on 9 Dec 2021. Mitre has designated this vulnerability as CVE-2021-44228 with a severity rating of 10.0. This was followed by vulnerabilities disclosed on Dec 14th 2021 (CVE-2021-45046) potentially affecting non-standard configurations and Dec 16th 2021 (CVE-2021-45105).
For the latest status of Microsoft’s investigation, please see Microsoft’s Response to CVE-2021-4428 Apache Log4j 2.
This advisory will continue to be updated as new information becomes available.
(Last Updated 21-DEC-2021)
The advisory was updated to reflect that version 10.5.5 has been released with the latest Apache Log4j 2.17.0 and validated to mitigate CVE-2021-44228, CVE-2021-45046 and CVE-2021-45105.
We strongly recommend our customers implement the following mitigation steps based on an internal analysis of possible attack vectors. |
For Defender for IoT security appliances (OT network sensors and on-premises management console):
echo "find /var/cyberx/components/ -name \"start.sh\" -exec grep -L Dlog4j2.formatMsgNoLookups=true {} \; | xargs -I '{}' sed -i '/java_args.append(\"-Dlog4j.configurationFile=.*)/a java_args.append(\"-Dlog4j2.formatMsgNoLookups=true\")' {} && sed -i 's/args = \[\x27java\x27, \x27-Dlog4j\.configurationFile=\/var\/cyberx\/properties\/log4j2-active-tool\.xml\x27, \x27-jar\x27,/args = \[\x27java\x27, \x27-Dlog4j\.configurationFile=\/var\/cyberx\/properties\/log4j2-active-tool\.xml\x27, \x27-Dlog4j2\.formatMsgNoLookups=true\x27, \x27-jar\x27,/' /usr/local/bin/cyberx-xsense-cip-query-controllers && monit restart all" | sudo at now + 1 minutes
echo "find /var/cyberx/components/ -name \"start.sh\" -exec grep -L Dlog4j2.formatMsgNoLookups=true {} \; | xargs -I '{}' sed -i '/java_args.append(\"-Dlog4j.configurationFile=.*)/a java_args.append(\"-Dlog4j2.formatMsgNoLookups=true\")' {} && monit restart all" | sudo at now + 1 minutes
The Defender for IoT cloud service does not use log4j and is not vulnerable to any active attack vector caused by CVE-2021-44228 and CVE-2021-45046.
Microsoft has released a dedicated Threat Intelligence update package for detecting Log4j exploit attempts on the network (example below).
The package is available for download from the Microsoft Defender for IoT portal (Click Updates, then Download file).
MD5 Hash - 512081a7ce19e436c9ff7ed672024354
Update your system with the latest TI package:
Microsoft Defender for IoT now pushes new threat intelligence packages to cloud-connected sensors upon release, click here for more information. Starting with sensor version 10.3, users can automatically receive up-to-date threat intelligence packages through Microsoft Defender for IoT. Working with automatic updates reduces operational effort and ensures greater security. Enable automatic updating on the Defender for IoT portal by onboarding your cloud-connected sensor with the toggle for Automatic Threat Intelligence Updates turned on.
Additionally, the package can be downloaded from the Microsoft Defender for IoT portal, under Updates:
To update a package on a single sensor:
To update a package on multiple sensors simultaneously:
For more information, please review Update threat intelligence data | Microsoft Docs
Follow the MSRC blog for more information, which is updated with information and protection details as they become available. For a more in-depth analysis of the vulnerability, exploitation, detections, and mitigations, consult the RiskIQ (acquired by Microsoft in August 2021) analysis.