A “vaccine” against the Log4Shell vulnerability appears to offer a way to reduce risk from the widespread flaw affecting servers that run Apache Log4j. The script was developed by researchers at security vendor Cybereason and released for free on Friday evening, following the disclosure of the critical zero-day vulnerability late on Thursday.
The Log4Shell vulnerability affects Apache Log4j, an open source Java logging library deployed broadly in web servers and the services that run on them. The flaw is considered highly dangerous since it can enable remote code execution (RCE)—in which an attacker can remotely access and control devices—and is seen as fairly easy to exploit, as well. Log4Shell is “probably the most significant [vulnerability] in a decade,” and may end up being the “most significant ever,” Tenable CEO Amit Yoran said Saturday on Twitter.
According to W3Techs, an estimated 31.5% of all websites run on Apache servers. The list of companies with vulnerable infrastructure reportedly includes Apple, Amazon, Twitter, and Cloudflare. Vendors including Cisco, VMware, and Red Hat have issued advisories about vulnerable products.
“This vulnerability, which is being widely exploited by a growing set of threat actors, presents an urgent challenge to network defenders given its broad use,” said Jen Easterly, director of the federal Cybersecurity and Infrastructure Security Agency (CISA), in a statement posted Saturday.
The vulnerability has impacted version 2.0 through version 2.14.1 of Apache Log4j, and organizations are advised to update to version 2.15.0 as quickly as possible.
Supplement to patching
But patching can be a time-consuming process. To supplement patching efforts, Cybereason says its tool—which it calls “Logout4Shell”—has the potential to “immunize” vulnerable servers, providing protection against attacker exploits that target the flaw.
While updating to the latest version of Log4j is no doubt the best solution, patching is often complex, requiring a release cycle and testing cycle, said Yonatan Striem-Amit, cofounder and chief technology officer at Cybereason. “A lot of companies find it difficult to go and deploy emergency patches,” he said in an interview with VentureBeat.
The Logout4Shell “vaccine” essentially buys security teams some time so they can roll out patches to systems, Striem-Amit said. The fix disables the vulnerability and allows organizations to remain protected while they work to update their servers, he said.
Cybereason has described the fix as a “vaccine” because it works by leveraging the Log4Shell vulnerability itself.
“The fix uses the vulnerability itself to set the flag that turns it off,” Striem-Amit wrote in a blog post. “Because the vulnerability is so easy to exploit and so ubiquitous—it’s one of the very few ways to close it in certain scenarios.”
Additionally, the Cybereason fix is “relatively simple” because only basic Java skills are required to implement it, he wrote.
Potential to help
With the Logout4Shell tool, security teams can “take a server that you suspect is vulnerable, and feed the string into places that you think are potentially vulnerable. If your application is not vulnerable at all, nothing happens,” Striem-Amit told VentureBeat.
“However, if your server is vulnerable to this attack, the exploit will get triggered, which will download the code that we supply,” he said. “And what that source code does is go into the configuration and disable the vulnerable components. So the server continues running, none the wiser—but any future attempt to exploit this vulnerability now won’t do anything. The vulnerable component is now disabled, and you’re done.”
Casey Ellis, founder and chief technology officer at bug bounty platform Bugcrowd, told VentureBeat that the Cybereason fix “appears to be genuine and has the potential to assist security teams.”
Ellis said that due to the complexity of regression testing Log4j, “I’ve already heard from a number of organizations that are pursuing the workarounds contained in the Cybereason tool as their primary approach.”
“It remains to be seen whether many enterprises choose to exploit the vulnerability itself in order to achieve this,” he said. “But I would expect at least some to use the tool selectively and situationally.”
There are some limitations for the Cybereason fix, however.
For one thing, the mitigation does not work prior to version 2.10 of Log4j. The exploit also must fire properly in order to be effective, Ellis said. “And even when it does run properly, it still leaves the vulnerable code in place,” he said.
Still, “this strikes me as a very clever ‘option of last resort,’” Ellis said. “Many organizations are currently struggling to inventory where Log4j exists in their environment, and updating a component like this necessitates a dependency analysis in order to avoid breaking a system in the pursuit of fixing a vulnerability.”
All of this “adds up to a lot of work. And having a ‘fire and forget’ tool to clean up anything that may have been missed at the end of it all seems like a scenario that many organizations will find themselves in, in the coming weeks,” he said.
Ultimately, “I see this as a potential supplement rather than a replacement,” he said of the Cybereason fix. “It’s critical to understand that this isn’t a solution – it’s a workaround with a number of limitations. It has intriguing potential as a tool in the toolbox as organizations reduce Log4j risk, and if it makes sense for them to use it, one of the primary reasons will be speed to risk reduction.”
Striem-Amit told VentureBeat that he’s seen a large amount of “positive feedback” about Logout4Shell, on Twitter and other websites, but said that Cybereason is not tracking usage of it.
The company also plans to develop a version of the tool that can support earlier versions of Log4j, so that all servers can be protected using this method, he noted.
Importantly, no one should see the tool as a “permanent” solution to addressing the Log4Shell vulnerability, Striem-Amit said.
“The idea isn’t this this is a long-term fix solution,” he said. “The idea is, you buy yourself time to now go and apply the best practices– patch your software, deploy a new version, and all the other things required for good IT hygiene.”