Cato Networks Rapid Response to The Apache Log4J Remote Code Execution Vulnerability

On December 9th, 2021, the security industry became aware of a new vulnerability, CVE-2021-44228. With a CVSS (Common Vulnerability Scoring System) score of a perfect 10.0, CVE-2021-442288 has the highest and most critical alert level.

To give some technical background, a flaw was found in the Java logging library “Apache Log4j 2” in versions from 2.0-beta9 to 2.14.1. This could allow a remote attacker to execute code on a server running Apache if the system logs an attacker-controlled string value with the attacker’s JNDI LDAP server lookup.

More simply put, this exploit would allow attackers to execute malicious code on Java applications, and as such, it poses a significant risk due to the prevalence of Log4j across the global software estate.

Cato’s Security Researchers Never Sleep, So You Can

Since the disclosure, the security analysts here at Cato Networks have been working tirelessly to identify, pinpoint and mitigate any potential vulnerability or exposure that our customers may have to this threat.

Here is our internal log of operations:

• 9th December 2021: The security community became aware of active exploitation attempts in the Apache Log4j software.
• 10th December 2021: Cato Networks identified the traffic signature associated with this exploit and started actively monitoring our customer base.
• 11th December 2021: Cato Networks has implemented a global blocking rule within our IPS for all Cato customers to mitigate this vulnerability.

Action Items to Cato Customers: Just Read eMails

Cato customers have already been informed that if they have the Cato IPS enabled, they are protected. Cato is actively blocking the traffic signature of this vulnerability automatically. No patching or updates to the Cato platform is required.

This is the greatness of an IPS-as-a-Service managed by some of the greatest security researchers. Our customers don’t have to perform any maintenance work to their IPS, and can make a much better use of their time: first by communicating to their upper management that their network is already secured and second, if they are using Apache products, by following the vendor’s advisory for remediation. Thanks to Cato, they can patch Apache at their own speed without fear of infiltration and exploitation.

What about the Cato SASE Cloud? Was it exposed?

In short, no. Our engineering and operations teams have worked side by side with our security analysts to investigate our own cloud and confirm that based on everything that we know, we are not vulnerable to this exploit.

Eventually, no one is 100% bullet proof. The test is really about what you have done to minimize the potential risk, and what you can do to mitigate it when it manifests. Cato has all the resources, the skills and the talent to minimize our attack surface, and make sure that our ability to respond to emerging threats is at the maximum. This is the right balance our customers deserve.

Sadly, This Is Not Over Just Yet

As often happens with such high-profile and critical CVEs, more data and IoCs (Indicators of Compromise) are surfacing as more analysts across the IT and cyber communities dive deeper into the case.

Our researchers are continuing their work as well, monitoring new discoveries across the community on the one hand, and running our own research and analysis on the other – all together targeted to make sure our customers remain protected.