CVE-2021-44228 - Apache Log4j Security Vulnerabilities
Description
[16/12/2021] Provide a way to help users to be quickly protected against the CVE. doc
[15/12/2021] Management of the vulnerability launched by Trustnest security governance team (white team)
[13/12/2021] First alerts from the Trustnest CSOC on the legacy "Managed Elasticsearch" service has been raised. Note 1: the current Managed Elasticsearch service offer is hosted internally on Trustnest Managed Kubernetes. Note 2: No Indice Of Compromission (IOC) containing the list of malicious IP has been found in the production trustnest managed kubernetes perimeter.
[10/12/2021] Official discovery of the vulnerability
Managed Kubernetes Context / Analysis
Internal Services
Managed Kubernetes does not use any Java application (outside Microsoft Azure) to operate the service. The service is not impacted by the vulnerability. Some Microsoft Azure are impacted by the vulnerability, such as Azure Active Directory. The fix is managed by Microsoft itself, as part of the SaaS service.
For Customer
First, we recommend upgrading the log4j library to fix the vulnerability definitively.
Second, if you have to perform some no-regression test, or evaluate the effort to perform a migration, we recommend you to follow at least one of the following steps:
- Enable the WAF with a custom configuration explain in a custom hello world here
- Add an environment variable for any pod containing java applications:
LOG4J_FORMAT_MSG_NO_LOOKUPS=”true”
Next steps
- Apply fixes on legacy perimeters (legacy elasticsearch as a service)
- List all the java applications hosted in current managed kubernetes service, and send a custom communication for them
- Perform forensics to identify real exploitation that could be happened before the discovery of the vulnerability