Join us for a webinar on Wednesday, December 15th as Zscaler ThreatLabz experts provide guidance on any and all emerging details on the Apache CVE-2021-44228 vulnerability, as well as best practices for mitigating the impact of future vulnerabilities.
Recently, a zero-day vulnerability (CVE-2021-44228) was discovered in the popular Apache Log4j logging library, which could allow an attacker full remote code execution. There is evidence that this vulnerability is being exploited in the wild. This logging library is commonly used by enterprise apps and cloud services, with many enterprise deployments supporting private apps. Apache has since released a security update, and provided recommended configurations for earlier versions that mitigates the vulnerability's impact, and we strongly encourage all IT admins to update their software immediately if you haven’t already done so.
Zscaler has confirmed no impact to its services from the CVE-2021-44228 vulnerability. Please read the ThreatLabz threat advisory post if you’d like more technical details on this vulnerability. If you are concerned that you may have been impacted, run a complimentary internet attack surface analysis to see if you have any external attack surface using Apache.
Given the wide-scale enterprise adoption of Apache Struts and other related offerings, this vulnerability has the potential to echo for months and potentially years to come, with ransomware gangs and cybercrime actors leveraging it to cause untold damage. Unfortunately, this type of discovery is nothing new, and like Heartbleed and Shellshock before it, serves to highlight the inherent risk in our interconnected digital world.
What’s also clear to me is that if you are depending upon VPNs and firewalls to protect your enterprise, you are at much greater risk of damage than you would be using a true zero trust network architecture. First, let’s consider why firewalls and VPNs introduce significant risk when a vulnerable version of Apache is used on an internal app:
Given this, I’d ask: how many of you are still using firewalls and VPNs? Now is the time to develop a plan for the next 3, 6, or 9 months - as it can’t be done overnight, but it is one of the most significant steps you can take to minimize your business risk.
Endless ink has been spilled describing zero trust and the inherent security benefits compared to legacy approaches, but let me summarize using the Apache vulnerability as a framework.
In this case, security researchers at Alibaba Cloud discovered a zero-day vulnerability, meaning without an emergency security update, every customer running a vulnerable version is at risk. Not only this, but the vulnerability allows full remote code execution, allowing full administrator access to the underlying Apache service and all data within it. In order to exploit this vulnerability, an attacker must first find the app itself. To stop attackers from doing so:
Ensure only authorized users can access apps: Cybersecurity is most effective when you can achieve a layered defense as part of an integrated platform. Beyond making vulnerable apps invisible, Zscaler only allows authorized users to access apps authorized in policy based on immutable identity from leading vendors like Azure AD, Okta, Duo, or Ping. If an attacker isn’t authorized to access a vulnerable app, they would be prevented from doing so.
Should an attacker successfully establish a foothold within an enterprise network, either through exploiting the Apache vulnerability or other means, they will inevitably progress their attack by attempting to move laterally to compromise additional systems, install ransomware, and exfiltrate data. Therefore, you should:
If you want to protect your enterprise from zero-day vulnerabilities, retire your firewalls and VPNs and embrace a true zero trust architecture with the Zscaler Zero Trust Exchange.
Request a custom zero trust exchange demo today to get started on your journey.
Run a complimentary internet attack surface analysis to see if you have any external attack surface using Apache.
Join our webinar on Wednesday, December 15th for more details and expert guidance on the Apache vulnerability.