Skip to main content

New Vulnerable Application

This alert occurs when Lacework detects that your cloud environment has executed software with a critical vulnerability (specifically, the Java Log4J vulnerability). This software may be a container image from docker.io running on a cluster or a software binary on a host with identified Log4J Java class files with vulnerabilities.

Given the severity of this vulnerability, Lacework will provide continuous alerts whenever this software is executed, regardless of frequency, with a maximum of one alert per 24 hours.

Why this alert is important

The Log4J vulnerability poses significant challenges when it comes to mitigation due to the reasons below:

  • It's difficult to determine whether or how it can be exploited.
  • There are limited effective measures to address it.

It is crucial to treat any software executing in your cloud environment that contains the Log4J vulnerability as a critical risk and prioritize its remediation.

Why this might be just fine

Under certain circumstances, the risk of running Log4J-vulnerable software can be contained. For example, it can be isolated within a sandbox environment by utilizing tools like gVisor; or have strong network egress controls implemented by the DevOps team in collaboration with the security team. These security measures, which restrict DNS requests and network connections, can mitigate the risk.

However, it's crucial to prioritize patching or removing the Log4J-vulnerable software as a more reliable approach, as security controls may have gaps or be inadvertently disabled.

Investigation

When addressing critical vulnerabilities such as Log4J, initiating the process of updating software can be challenging and involve multiple stakeholders. To facilitate effective communication, it is essential to establish a forum that includes relevant stakeholders from both the DevOps teams and the risk/legal teams. This forum serves as a platform for sharing information and coordinating efforts.

As an initial step in this communication forum, the security team should gather pertinent details about the vulnerable software. This information can be obtained from Lacework's attack path analysis or its analysis of active vulnerabilities, which determines whether the Log4J software is present but not actively utilized. Armed with this information, the security team can utilize Lacework's re-alerting feature on the vulnerability to periodically remind the communication forum (such as on a weekly basis) that the issue still requires attention.

Establishing effective communication channels and leveraging Lacework's capabilities for gathering insights and issuing reminders can streamline the process of addressing critical vulnerabilities and ensure that the issue remains at the forefront of stakeholders' attention.

Resolution

To resolve critical vulnerabilities such as Log4J, follow the steps below:

  • Apply the necessary patches or updates provided by Log4J or the relevant software vendors. Ensure all affected systems, applications, libraries, and dependencies are updated to versions that have addressed the vulnerability.
  • Continue to monitor your environment for any signs of exploit attempts or unusual activities related to Log4J.
  • Consult with security professionals or external experts to ensure a comprehensive and effective resolution of the Log4J vulnerability tailored to your specific environment and requirements.