Runecast responds to Apache Log4j Java vulnerability

Critical vulnerabilities covered in Runecast Analyzer

This original article regarding Runecast 6.0.1 has been updated to include the latest information about back-to-back minor releases that have followed due to ongoing updates to the associated CVEs.

TL;DR

Runecast helps customers discover vulnerable Log4j instances in their Windows and Linux applications.

Both Runecast and its detection capabilities for customer environments have been patched and continuously improved in each version since 6.0.1 to reflect new and updated log4j-related CVEs.

21 December 2021 – Release of Runecast Analyzer 6.0.4

  • Added a rule detecting a newly published log4j2 vulnerability (CVE-2021-45105)
  • Updated log4j to version 2.17 to address CVE-2021-45105
  • Updated ElasticSearch and Logstash to 6.8.22 which contain the latest log4j 2.17
  • Fixed the OS agents installation script to work with localized Windows versions
  • Updated the VMSA-2021-0028 body in the UI according to the latest VMware updates
  • Updated the VMware Horizon log4j analysis rule as now there is a patch released, based on VMSA-2021-0028
  • Adjusted the Apache Log4j2 Security Update CVE-2021-45046 severity to Critical
  • (introduced in 6.0.3) Improved detection of CVE-2021-44228 reducing false positives

17 December 2021 – Release of Runecast Analyzer 6.0.3

  • Updated detection of Apache Log4j Java library vulnerability (CVE-2021-44228) on Windows and Linux which improves the results accuracy and makes the results more explanatory
  • Detection on Windows, Linux, and VMware of newly added Apache Log4j Java library vulnerability (CVE-2021-45046)
  • Updated Elasticsearch and Logstash components to version 6.8.21 to address CVE-2021-44228 and 2021-45046
  • New Windows 2016 Domain Controller CIS profile added that extends the compliance capabilities on Microsoft platform

15 December 2021 – Release of Runecast Analyzer 6.0.2

  • Detection of Apache Log4j Java library vulnerability (CVE-2021-44228) on Windows and Linux and Kubernetes
  • Applied Log4j vulnerability workaround on Elasticsearch components
  • Log4j library used in Runecast Analyzer updated to latest recommended version – 2.16.0
  • Update of VMSA-2021-0028 to cover NSX-V 

12 December 2021 – Release of Runecast Analyzer 6.0.1

  • Apache Log4j Java library is updated to version 2.15.0 to address CVE-2021-44228
  • Critical VMSA-2021-0028 is covered by Runecast Analyzer

Our response to Log4Shell

On Friday, December 10th 2021, a critical vulnerability in the Apache Log4j Java library (used by thousands of enterprise apps), Log4Shell, was disclosed. A zero-day exploit was found in log4j2, a popular third-party library which many services include as a dependency. By sending a request to any endpoint which writes its content into the application's log file, an attacker can trick the application into loading and executing untrusted code from a malicious server.

Our development team worked tirelessly and well into the small hours of Sunday morning to update the Runecast platform for our clients to counter the Log4Shell vulnerability. For those who may be new to the Runecast community, this is the level of service that we always strive to provide our customers.

A VMSA was released by VMware (VMSA-2021-0028) in response to the highly critical CVE-2021-44228 vulnerability.

Runecast 6.0.1.0 was released on Sunday, 12 December, to help customers discover VMware products in their environment affected by VMSA-2021-0028.

Log4j is a widely used Java component in thousands of applications and VMware is just one of the vendors whose applications were affected. To help customers discover any Windows and Linux application affected by the log4j vulnerability, Runecast released Log4Shell scanning as part of the brand new proactive OS analysis functionality on 15 December.

Due to the severity and widespread impact of this issue, Runecast is currently offering a free assessment of your estate. This includes all applications running on Windows, Linux, VMware, and even Kubernetes on Linux, as stated above.

AWS, Azure, and Kubernetes

For Kubernetes, AWS or Azure, this vulnerability affects the application layer (as it did with VMware). If you have workloads like Linux and Windows servers running on these platforms, then Runecast already covers it (with version 6.0.2.0). It’s important to note that Windows and Linux themselves are not affected, but Runecast Analyzer sees deeper and looks at the applications running within those operating systems. What’s more, where the Runecast OS agent is installed on a Linux Kubernetes Node, Runecast Analyzer can see the container processes and detect the Java vulnerability inside. 

Where automatic updates are enabled, Runecast customers should already have this VMSA and vulnerabilities covered, with offline updates available through the Runecast customer portal as usual. We strongly recommend updating to the latest Runecast Analyzer version - both to ensure Runecast Analyzer is patched, and also to enable Log4Shell analysis for your VMware, Windows and Linux applications. 

Security never sleeps

For anyone who thought that December would be a quiet month this just proves that security doesn’t have an off switch, and we are once again impressed with the dedication and hard work of our development team to react to critical vulnerabilities like this in such a short time period.

As we are in the early days of the vulnerability being reported we believe that threat actors and cyber criminals will use this vulnerability, which likely means greater harm and risk in the coming days. This is why we move heaven and earth to cover these vulnerabilities as quickly and comprehensively as possible. 

This year we as a team have covered a number of VMware Security Advisories and critical security events. Common Vulnerabilities and Exposures (CVEs) like these provide definitions for publicly disclosed cybersecurity vulnerabilities and exposures, and the VMSA provides VMware’s resolution and workaround information. This information is carefully evaluated and parsed by Runecast and our development team to ensure that the critical infrastructure that you rely on, and we protect, is safe as soon as possible. 

Runecast 6.0.2 is a monumental release that introduces not only Windows and Linux analysis but dives deeper into the application level, to ensure customers have full protection against critical vulnerabilities.

As always, if you have any questions you can reach out to us via our contact us form or on Twitter with any feedback or questions.

Request Your Free Log4Shell Assessment

Check your environment for the critical vulnerability in the Apache Log4j Java library.

Request my Free Assessment
About the Author | Daniel Jones

Daniel Jones is the Technical Content Writer for Runecast. Daniel has 10 years experience working IT Operations and Infrastructure/Network admin before transitioning to Process Improvement and documentation. Working and writing for Runecast means he can combine his interest in tech with his love of the written word.

When Daniel is not working he can be found writing stories and songs, chasing around after his family and pining for the seaside.


Request Your Log4Shell Vulnerability Scan

All Blog articles