Customer Advisory: Protecting Against Apache Log4j

The Kenna Security team at Cisco and the broader security industry became aware of a critical vulnerability CVE-2021-44228 in the Apache Log4j library on December 9th. Millions of Java applications use this library to log error messages, and as such, this vulnerability is causing industry-wide problems. The Kenna Risk Score for CVE-2021-44228 is 93 out of 100, an exceptionally high score reflecting this vulnerability’s likelihood and potential impact. Less than 1% of all CVEs have a Kenna score this high.

The purpose of this communication is two-fold:

1. Make you aware of what Cisco is doing to identify and remediate affected Cisco products 
2. Share information and recommendations to help you support your enterprise proactively

What Cisco is doing to identify and remediate affected Cisco Products

Cisco immediately began an impact assessment and had teams working around the clock to assess and remediate this vulnerability within our products, services, and enterprise. The results are in our Secure Advisory, which we will continue to update with information about affected products as our investigation progresses.

Information and Recommendations for Kenna customers

Cisco | Kenna is actively helping customers deal with their security needs through Talos Incident Response services and Kenna Security’s risk scoring and threat intelligence. Here is how you can leverage these services to identify and remediate this vulnerability across your IT enterprise.

1. Ensure the signatures in your vulnerability scanner have been updated. The vulnerability assessment tool vendors continue to update their signatures to identify this vulnerability. Given that it won’t be as simple as finding installed versions of log4j but also embedded versions of the library, you will likely continue to see new findings come in.
2. Where possible, use authenticated scanning or agents.
3. Ensure your Connectors are frequently running in Kenna to ensure you are loading the most up-to-date information into your instance.
4. Once your vulnerability results are in Kenna, remember you can perform a simple query like cve:2021-44228 from the search box in the Explore view of VM to identify all instances of this vulnerability in your environment quickly.
5. We recommend prioritizing remediation based on your asset priority values and exposure of the asset to the internet. Fortunately, the Risk Meter score should automatically take care of this for you.
6. Put temporary protective measures in place while you are working through your remediation. You can find additional information, including IOCs and IDS signatures, in this Talos Threat Advisory.

Remember that it will be essential to increase the frequency of your assessments. The early scans of your environment may only identify assets with the vulnerable log4j library installed, but we continue to see more software applications with this library embedded into their jar. This issue will evolve, and it’s crucial to stay on top of your assessments.

Kenna Security expects a high volume of scanner results to be ingested into our platform through connector runs. We have already taken preemptive action for the anticipated increase in scan and vulnerability volume by scaling up our backend resources to meet the demand. We have more resources at the ready should it become necessary.

As this is widespread and expected to have a long tail across the cybersecurity landscape and industry, please check the security advisory regularly for the latest updates regarding affected or vulnerable products, thoroughly scan your environment, leverage Kenna to prioritize your actions, and always patch the most critical systems first.