A high severity vulnerability (CVE-2021-44228) impacting multiple versions of the Apache Log4j tool used in many Java-based applications was disclosed publicly on December 9, 2021. This vulnerability is also known as the Log4shell/Logjam vulnerability. When exploited, it can enable threat actors to take full control of affected systems. CVE-2021-44228 has been given the highest severity rating (10.0) by NIST.
CyberRes continues to analyze this remote code execution vulnerability and is taking swift remediation action to help protect our customers, wherever possible.
We would like to announce that we have the following official resources available to support customers who are dealing with this issue:
- Micro Focus landing page: Micro Focus Statement on “Log4j” Vulnerabilities
- CyberRes landing page: Summary of CyberRes impact from Log4J or Logshell/LogJam (CVE-2021-44228)
ArcSight Detection Package
In addition to the above, a free ArcSight detection package has just been published on ArcSight Marketplace to help ArcSight customers fight Log4j-targeting cyberattacks. We strongly encourage customers of ArcSight ESM, ArcSight Logger, and ArcSight Recon to visit the page and deploy the content package.
Apache Log4j (CVE-2021-44228) Monitoring: Special ArcSight Content Pack
Package Details
While more details are available on the ArcSight Marketplace page, we’d like to share some of these details here as well. The following resources are available in this package:
For ArcSight ESM
- Real-time detection of any suspicious activities related to Log4j-targeting attacks, using real-time threat intelligence feeds (through MISP Model Import Connector—available to all ArcSight ESM customers for free)
- Real-time alert and search on Log4j suspicious activities detected by an IDS
- Real-time alert and search on Log4j vulnerabilities reported by Nessus Vulnerability Analyzer solution, a supported IDS, or from webs server logs
- These detections will fall under the following MITRE ATT&CK techniques:
- T1190-Exploit Public-Facing Application
- 002-Spearphishing Link
For ArcSight Recon and Logger
- Hunt and search queries to detect RCE attempts utilizing a variety of log sources, including Proxy events, Nessus and Snort signatures, Vulnerability Analyzer/scanner solutions, Sysmon events
- Hunt and search queries to detect the installation of Log4j components, across the organization, utilizing Sysmon events
- Hunt and search queries for detection of special text from proxy logs’ UserAgent header fields
Conclusion
We are excited to make this content available to our customers to help them combat this latest global cyberthreat. Please note that we will continue to update the pages mentioned at the top of this blog post with new content as it becomes available.
Finally, we want to thank all our customers for choosing ArcSight, for sharing your feedback and experiences, and for giving us the opportunity to help keep your organizations secure.