Zscaler Cloud Platform

Prevent the Apache Log4j Java Library Vulnerability With a Zero Trust Architecture

Apache vulnerability

Join us for a webinar on Wednesday, December 15th as Zscaler ThreatLabz experts provide guidance on any and all emerging details on the Apache CVE-2021-44228 vulnerability, as well as best practices for mitigating the impact of future vulnerabilities.

Recently, a zero-day vulnerability (CVE-2021-44228) was discovered in the popular Apache Log4j logging library, which could allow an attacker full remote code execution. There is evidence that this vulnerability is being exploited in the wild. This logging library is commonly used by enterprise apps and cloud services, with many enterprise deployments supporting private apps. Apache has since released a security update, and provided recommended configurations for earlier versions that mitigates the vulnerability's impact, and we strongly encourage all IT admins to update their software immediately if you haven’t already done so.

Zscaler has confirmed no impact to its services from the CVE-2021-44228 vulnerability. Please read the ThreatLabz threat advisory post if you’d like more technical details on this vulnerability. If you are concerned that you may have been impacted, run a complimentary internet attack surface analysis to see if you have any external attack surface using Apache.

Given the wide-scale enterprise adoption of Apache Struts and other related offerings, this vulnerability has the potential to echo for months and potentially years to come, with ransomware gangs and cybercrime actors leveraging it to cause untold damage. Unfortunately, this type of discovery is nothing new, and like Heartbleed and Shellshock before it, serves to highlight the inherent risk in our interconnected digital world.

What’s also clear to me is that if you are depending upon VPNs and firewalls to protect your enterprise, you are at much greater risk of damage than you would be using a true zero trust network architecture. First, let’s consider why firewalls and VPNs introduce significant risk when a vulnerable version of Apache is used on an internal app:

  • Legacy network security solutions publish apps to the internet to allow access, enabling them to be identified by attackers using freely available tools like Shodan to target for exploitation.
  • Firewalls and VPNs put every user onto the network for application access, allowing an attacker or compromised user to move laterally across an enterprise to deliver ransomware or steal data once an initial foothold has been established through a vulnerability. App access should never require network access.
  • Much has been said about how the pandemic accelerated our collective move to a hybrid workforce, and I won’t repeat it except to say - not only do firewalls and VPNs introduce significant risk, they are slow, outdated, and complex for a remote workforce to access a private app. No one wants a risky solution with a poor user experience.

Given this, I’d ask: how many of you are still using firewalls and VPNs? Now is the time to develop a plan for the next 3, 6, or 9 months - as it can’t be done overnight, but it is one of the most significant steps you can take to minimize your business risk.

 

Four simple steps to reducing risk with a zero trust architecture:

Endless ink has been spilled describing zero trust and the inherent security benefits compared to legacy approaches, but let me summarize using the Apache vulnerability as a framework.

In this case, security researchers at Alibaba Cloud discovered a zero-day vulnerability, meaning without an emergency security update, every customer running a vulnerable version is at risk. Not only this, but the vulnerability allows full remote code execution, allowing full administrator access to the underlying Apache service and all data within it. In order to exploit this vulnerability, an attacker must first find the app itself. To stop attackers from doing so:

  1. Minimize your attack surface and make apps invisible: Adopting a zero trust architecture, like the Zscaler Zero Trust Exchange, and specifically Zscaler Private Access (ZPA), allows you to make all of your internal apps completely dark and invisible to the internet. When they are hidden behind the zero trust platform, attackers cannot find them and exploit them, safeguarding even vulnerable versions of Apache from this and future vulnerabilities, impossible with legacy VPNs and firewalls.
     
  2. Ensure only authorized users can access apps: Cybersecurity is most effective when you can achieve a layered defense as part of an integrated platform. Beyond making vulnerable apps invisible, Zscaler only allows authorized users to access apps authorized in policy based on immutable identity from leading vendors like Azure AD, Okta, Duo, or Ping. If an attacker isn’t authorized to access a vulnerable app, they would be prevented from doing so.

    Should an attacker successfully establish a foothold within an enterprise network, either through exploiting the Apache vulnerability or other means, they will inevitably progress their attack by attempting to move laterally to compromise additional systems, install ransomware, and exfiltrate data. Therefore, you should:
     

  3. Prevent lateral movement with user-to-app and app-to-app microsegmentation: ZPA decouples application access from network access by directly connecting users to resources through a reverse tunnel that never puts users on the network. When app access doesn’t require network access, any potential lateral spread of an infection is prevented, even if an initial foothold has been established. Furthermore, the Zero Trust Exchange extends the same zero trust policy to public cloud workloads through Zscaler Workload Segmentation, stopping lateral movement within a data center or cloud environment. In either case, the Zscaler platform prevents a single infected server from being used to compromise the entire enterprise.
     
  4. Inspect both inbound and outbound traffic. Visibility and monitoring are cornerstones of Zero Trust. By inspecting all traffic—both encrypted and unencrypted—you can block initial compromise as attackers attempt to access your environment from the internet, and can also stop post-exploitation activities, such as communicating with command-and-control servers or exfiltrating data. Zero Trust Zscaler Internet Access (ZIA) does both. ZIA Advanced Threat Protection inspects both internet-to-server and server-to-internet traffic for indicators of compromise associated with known exploits in the wild, helping to block, detect, and mitigate attacks.

If you want to protect your enterprise from zero-day vulnerabilities, retire your firewalls and VPNs and embrace a true zero trust architecture with the Zscaler Zero Trust Exchange.

 

Request a custom zero trust exchange demo today to get started on your journey.

Run a complimentary internet attack surface analysis to see if you have any external attack surface using Apache.

Join our webinar on Wednesday, December 15th for more details and expert guidance on the Apache vulnerability.

Stay up to date with the latest digital transformation tips and news.