How to Buy Precious Patching Time as Log4j Exploits Fly

2021-12-14 17:21

You have to go into each one of your servers and see, Are we using Log4J either directly or indirectly in that environment? And if the answer is yes, then how can we mitigate that risk? Which, again, is trivially exploitable to a single string and takes, you know, minutes to set up an exploitation.

If you're buying a software that's deployed on-premise, you don't necessarily have access into the innards of the server to start or patching the Log4J libraries.

Then when you add the MSP question that you asked earlier, it's really about how do you make sure that you collaborate between the MSPs, the security team and the IT team or any company to really go and see, "Can we patch quickly enough? Can we go and install the mitigations that were published at the get-go over those servers? And if everything else fails, can we use Cybereason's vaccine to help at least buy time in this scenario?".

We've had at this point, an ability to set up an attack server, which, once you attack your own server environment, it basically shuts off and applies the mitigation that was available at the time on that particular server, making the server effectively immune for that exploitation.

No matter how much of a variation you use, as long as it uses the same vulnerability, and no matter what variation of the vulnerability is involved, they all get blocked because we basically remove the mechanism that does this, and the JNDI itself gets blocked, and therefore cannot be abused further cause it's just removed from the server.

So our vaccine is there to help you buy time and kind of buy the peace of mind to go into the [proper] solution, "At your leisure quote, unquote." Again, it's not, actually leisurely - you absolutely should be using the official patch, but the vaccine is here to help you buy time to do it.

News URL

https://threatpost.com/patching-time-log4j-exploits-vaccine/177017/

#exploit #log4j