- January 5, 2022: Netflow Data Analysis and service provider recommendations.
- December 16, 2021: Added more FAQs; Added screenshots of filters; Instructions for checking your My Company or SPM Subsidiary.
- December 14, 2021: Products with published advisories; Recommended report.
Log4j is an open-sourced Java logging tool and software library developed by the Apache Software Foundation. It can be part of many different Java software services and is used in many common frameworks, including Apache Struts, Apache Solr, Apache Druid, and Apache Flink.
On December 10, 2021, a critical vulnerability that allows for unauthenticated remote code execution (RCE) was discovered in Apache Log4j 2. The Apache Software Foundation has identified the vulnerability as CVE-2021-44228.
According to Apache, the following Log4j versions are affected: all log4j-core versions ≥2.0-beta9 and ≤ 2.14.
- What You Can Do
- Frequently Asked Questions
- Bitsight Academy
- Bitsight Blog, “Bitsight Observes Widespread Apache Log4j 2 Vulnerability Exposure”
- Affected Products & Advisories
- GitHub, “CISA Log4j (CVE-2021-44228) Vulnerability Guidance”
What You Can Do
Affected Products & Advisories
See affected products with published advisories.
Identify Potentially Vulnerable Third Parties
Search in the Bitsight Platform
Identify third parties using Java-based servers that may be vulnerable to better understand the scope of impact to your portfolio. Use the Companies List page to search across your portfolio.
Refine your search to show only companies using Java-based products and services. Use the “Search filter options…” bar in the Filters column to search for “Java.”
We recommend selecting all Java products from the Open Ports, Software, and Products filter sections.
- Selecting products within a single filter section results in an implicit OR condition; Selecting products from multiple filter sections results in an AND condition and may cause you to unintentionally exclude results. This is applicable to the Companies List and Portfolio Impact report.
Leverage Netflow Data Analysis
Our Security Research and Data Science teams have been able to leverage Netflow Data Analysis to provide some additional visibility into potential exposure across your portfolio.
Netflow enables us to observe Internet traffic between two IP:port pairs (a source and a destination), as depicted in the following image:
The attached file includes:
- All observed Netflow traffic that’s mapped to a company in your portfolio.
- All Netflow observations for companies in your portfolio from the December 1st through December 17th 2021 date range.
- Data fields include:
- Asset Type
- IP (masked)
- Company Unique Identifier (GUID)
- Company Name
Though this data does not flow into the Bitsight platform today, we can provide filtered views of affected companies and IP addresses across your portfolio.
The IP address communicating with the callback endpoint is likely vulnerable and may even be compromised. Though this approach does not provide an exhaustive view of exposure since it also includes connections that are unrelated to the compromise (such as traffic generated by researchers), it provides a reasonably high confidence level view of affected IP addresses observed in this way. There is typically no reason for IP addresses to be communicating with these endpoints.
Note for Service Providers
Many of the observations are service providers that are hosting services controlled by their customers, identified using passive DNS (however, this is not universally feasible). The vulnerabilities in these systems may not affect the security of the service provider themselves.
Service providers may use Log4j in their own environment and given the volume of inbound requests the larger service providers are likely fielding, we recommend asking what efforts they've taken to identify Log4j, mitigating against the vulnerabilities, and searching for guidelines provided by the service provider. For example, Google Cloud and AWS.
Learn more about Shared Responsibility with Cloud Service Providers.
See if Your Organization is Vulnerable
Use the Assets tab to determine if a company in your organization is vulnerable.
- Open Ports: Identifies companies with services that are running and have been identified as using Java. Expand the # Selected ﹀ dropdown and enter “java” into the filter’s search bar. If there are matches, drill into the company’s Diligence tab and search for “java” to find the specific assets.
- Software: Expand the # Selected ﹀ dropdown within the Software section and enter “java” into the filter’s search bar. You may also want to filter for software listed in GitHub
Portfolio Impact – Quickly assess and communicate how this vulnerability affects your portfolio and share those findings with colleagues and executives.
Frequently Asked Questions
- Is Bitsight Technologies, Inc. exposed to the Log4j vulnerability?
- Which Java products are affected?
- Will this affect Bitsight Security Ratings?
- Why is CVE-2021-44228 not in the Bitsight platform?
Is Bitsight Technologies, Inc. exposed to the Log4j vulnerability?
At this time, our usage of the affected Apache Log4j library is limited to internal, backend services. Our analysis has not found any indication that the vulnerability was exploited within our organization. The remaining Log4j vulnerabilities in Bitsight services have no direct impact on customer data and on customer infrastructure.
- Our primary internet-exposed web app is not Java. Therefore, the Bitsight Security Ratings Platform has no exposure to this vulnerability.
- Our hosting provider created a rule on December 9, 2021 to block any attempts to exploit this vulnerability. There is no impact to the Bitsight service resulting from this vulnerability.
Which Java products are affected?
The Bitsight platform does not currently reflect this information. Please refer to the affected products and advisories list.
Will this affect Bitsight Security Ratings?
There are no plans to incorporate current Bitsight observations of potentially vulnerable systems into ratings. We continue to research ways to expand the breadth of our data through widespread, non-invasive, and high-confidence surveys.
Why is CVE-2021-44228 not in the Bitsight platform?
Some vulnerabilities are impossible to externally observe in a safe, predictable way. Unfortunately, the Log4j vulnerability appears to be one of them. We continue to research safe scans that could be implemented.