Who's on your team for defense against zero-day vulnerabilities? Can your network move quickly to mitigate a risk once it is identified?
Security is a layered approach. Various defenses must be put in place to slow and stop a threat.
A vulnerability in Apache log4j is actively being exploited in the wild with a high criticality and it requires immediate attention.
Log4j is widely used in software such as:
- Ubiquiti UniFi
- Arista CloudVision
- Cisco ISE
- Fortinet FortiPortal
- Juniper Networks Paragon
- And more.. Check with your vendor for an update.
Stop threats at the perimeter
First step is to identify and stop any flow of traffic trying to exploit Log4j. With Palo Alto Networks firewalls, a Threat Prevention subscription would automatically block sessions related to the Log4j vulnerability.
Under Applications and Threat content updates there would be an update with signatures protecting against these attacks.
The signatures are Threat ID 91991, 91994, and 91995.
Monitor for active exploits
Identify whether you're part of an active exploit by monitoring the Threat logs within Palo Alto Networks firewalls.
Apply a filter to find out where the threat is coming from and take your next course of action or confirm the threat is being blocked:
name-of-threatid eq 'Apache Log4j Remote Code Execution Vulnerability'
Patch your vulnerable systems
Now that the perimeter is working to protect your network, it's time to act quick and mitigate. Take inventory of all your systems and use a vulnerability scanner such as Qualys.
Patch and Monitor.