Runecast responds to critical Log4j vulnerabilities

‍‍This article has been updated to include the latest definitions release of Runecast.

TL;DR

Runecast helps customers discover vulnerable Log4j instances in their Windows and Linux applications.

Both Runecast and its detection capabilities for customer environments have been patched and continuously improved in each version since 6.0.1 to reflect new and updated log4j-related CVEs.

28 January 2022 – Release of Runecast Analyzer 6.0.5.2

• Updated Runecast content according to new vCenter and ESXi patches released.
• VMware has released patches for NSX-T 2.x, 3.0.x and 3.1.x products, as well as VMware NSX Data Center for vSphere (NSX-V) 6.x, which resolve the Log4j security issues on these products. 
• VMware has released a patch for vCenter Server 7.0 which resolves the Log4j security issue, while the VMware vCenter Server 6.x products are updated, but no patch has been released from VMware to fix the security issue.
  

21 December 2021 – Release of Runecast Analyzer 6.0.4

• Added a rule detecting a newly published log4j2 vulnerability (CVE-2021-45105)
• Updated log4j to version 2.17 to address CVE-2021-45105
• Updated ElasticSearch and Logstash to 6.8.22 which contain the latest log4j 2.17
• Fixed the OS agents installation script to work with localized Windows versions
• Updated the VMSA-2021-0028 body in the UI according to the latest VMware updates
• Updated the VMware Horizon log4j analysis rule as now there is a patch released, based on VMSA-2021-0028
• Adjusted the Apache Log4j2 Security Update CVE-2021-45046 severity to Critical
• ‍(introduced in 6.0.3) Improved detection of CVE-2021-44228 reducing false positives‍

17 December 2021 – Release of Runecast Analyzer 6.0.3

• Updated detection of Apache Log4j Java library vulnerability (CVE-2021-44228) on Windows and Linux which improves the results accuracy and makes the results more explanatory
• Detection on Windows, Linux, and VMware of newly added Apache Log4j Java library vulnerability (CVE-2021-45046)
• Updated Elasticsearch and Logstash components to version 6.8.21 to address CVE-2021-44228 and 2021-45046
• New Windows 2016 Domain Controller CIS profile added that extends the compliance capabilities on Microsoft platform‍

15 December 2021 – Release of Runecast Analyzer 6.0.2

• Detection of Apache Log4j Java library vulnerability (CVE-2021-44228) on Windows and Linux and Kubernetes
• Applied Log4j vulnerability workaround on Elasticsearch components
• Log4j library used in Runecast Analyzer updated to latest recommended version – 2.16.0
• Update of VMSA-2021-0028 to cover NSX-V 

12 December 2021 – Release of Runecast Analyzer 6.0.1

• Apache Log4j Java library is updated to version 2.15.0 to address CVE-2021-44228
• Critical VMSA-2021-0028 is covered by Runecast Analyzer

Our response to Log4Shell

On Friday, December 10th 2021, a critical vulnerability in the Apache Log4j Java library (used by thousands of enterprise apps), Log4Shell, was disclosed. A zero-day exploit was found in log4j2, a popular third-party library which many services include as a dependency. By sending a request to any endpoint which writes its content into the application's log file, an attacker can trick the application into loading and executing untrusted code from a malicious server.

Our development team worked tirelessly and well into the small hours of Sunday morning to update the Runecast platform for our clients to counter the Log4Shell vulnerability. For those who may be new to the Runecast community, this is the level of service that we always strive to provide our customers.

A VMSA was released by VMware (VMSA-2021-0028) in response to the highly critical CVE-2021-44228 vulnerability.

Runecast 6.0.1.0 was released on Sunday, 12 December, to help customers discover VMware products in their environment affected by VMSA-2021-0028.

Log4j is a widely used Java component in thousands of applications and VMware is just one of the vendors whose applications were affected. To help customers discover any Windows and Linux application affected by the log4j vulnerability, Runecast released Log4Shell scanning as part of the brand new proactive OS analysis functionality on 15 December.

Due to the severity and widespread impact of this issue, Runecast is currently offering an assessment of your estate. This includes all applications running on Windows, Linux, VMware, and even Kubernetes on Linux, as stated above.

AWS, Azure, and Kubernetes

For Kubernetes, AWS or Azure, this vulnerability affects the application layer (as it did with VMware). If you have workloads like Linux and Windows servers running on these platforms, then Runecast already covers it (with version 6.0.2.0). It’s important to note that Windows and Linux themselves are not affected, but Runecast Analyzer sees deeper and looks at the applications running within those operating systems. What’s more, where the Runecast OS agent is installed on a Linux Kubernetes Node, Runecast Analyzer can see the container processes and detect the Java vulnerability inside. 

Where automatic updates are enabled, Runecast customers should already have this VMSA and vulnerabilities covered, with offline updates available through the Runecast customer portal as usual. We strongly recommend updating to the latest Runecast Analyzer version - both to ensure Runecast Analyzer is patched, and also to enable Log4Shell analysis for your VMware, Windows and Linux applications. 

Security never sleeps

For anyone who thought that December would be a quiet month this just proves that security doesn’t have an off switch, and we are once again impressed with the dedication and hard work of our development team to react to critical vulnerabilities like this in such a short time period.

As we are in the early days of the vulnerability being reported we believe that threat actors and cyber criminals will use this vulnerability, which likely means greater harm and risk in the coming days. This is why we move heaven and earth to cover these vulnerabilities as quickly and comprehensively as possible. 

This year we as a team have covered a number of VMware Security Advisories and critical security events. Common Vulnerabilities and Exposures (CVEs) like these provide definitions for publicly disclosed cybersecurity vulnerabilities and exposures, and the VMSA provides VMware’s resolution and workaround information. This information is carefully evaluated and parsed by Runecast and our development team to ensure that the critical infrastructure that you rely on, and we protect, is safe as soon as possible. 

Runecast 6.0.2 is a monumental release that introduces not only Windows and Linux analysis but dives deeper into the application level, to ensure customers have full protection against critical vulnerabilities.

As always, if you have any questions you can reach out to us via our contact us form or on Twitter with any feedback or questions.