Multiple governments have released a long list of IT vendors and their products that are impacted by the Log4j vulnerability, including the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Dutch National Cyber Security Centrum (NCSC)
The two agencies are maintaining running lists of vendors impacted by the vulnerability on their respective GitHub repositories, which includes the name of the vendor, the product impacted, information about security patches and links back to the vendor’s security advisory.
As of Wednesday afternoon, the CISA repository listed more than 500 products from the IT vendor community, and lists products that are affected, under investigation or not affected. Read more about CISA’s recommendations on this major issue here.
The NCSC has a much more comprehensive list of about 1,900 products and their vulnerability status. However, not all vendors listed have vulnerable products.
Both lists also offer information about workarounds and temporary mitigations while the solutions are patched.
Appearing on these lists are vendors such as Cisco, VMWare, Amazon, IBM, Fortinet, Microsoft, Splunk, Sophos, Red Hat and some of the other largest enterprise technology providers in the world.
- CISA repository: https://github.com/cisagov/log4j-affected-db
- NCSC repository: https://github.com/NCSC-NL/log4shell/tree/main/software
Another Log4j security update
Apache quickly released Log4j version 2.15.0 in a security update to address the main vulnerability that was exposed last week, but the foundation this week released another update, 2.16.0, that addresses a remote denial-of-service vulnerability in certain non-default configurations.
Organizations are advised to apply the new update immediately.
According to The Apache Foundation, 2.15.0 restricts JNDI LDAP lookups to localhost by default, but 2.16.0 disables access to JNDI by default, and lookups now need to be enabled explicitly.
The update also limits the protocols by default to only Java, LDAP and LDAPS and limits the LDAP protocols to only accessing Java primitive objects. Hosts other than the local host need to be explicitly allowed, the organization says in an advisory.
Widespread exploitation attempts
Because of the broad vulnerability across the entire IT ecosystem, coupled with the simplicity of this exploit, attackers have pounced at the opportunity to leverage this for a variety of purposes, including cryptojacking, ransomware and other attack methods.
According to cybersecurity provider Check Point, the company has seen an attempted exploit on 46% of global corporate networks, and the firms’ software has helped prevent over 1.8 million attempts to exploit the vulnerability.
What’s especially concerning however, is that known threat actors—perhaps nation-state actors and other sophisticated groups with access to access to resources and advanced tools—are responsible for nearly half of those attempts.
Attacks leveraging this vulnerability have also rapidly escalated, with attacks nearly doubling between Dec. 11 and Dec. 13, according to Check Point’s data.
While the global average of corporate networks being attacked via this vulnerability is about 46%, some countries have seen over 60% of corporate networks impacted.
What’s even more concerning is the type of organization being attacked. According to Check Point, at least 55% of internet service providers, managed service providers, value-added resellers and other third-party tech service providers have reported being attacked.
As is often the case, those kind of organizations represent valuable hacking targets because they likely hold the keys to the networks of thousands more organizations.