[BruinTech] [Info Security] [PLEASE READ] Log4Shell Mitigation

Good Morning BruinTech and QUG, As the threat landscape for Log4Shell continues to evolve, Information Security would like to provide updated guidance and additional procedures we are implementing to protect campus: 

  • The Security team continues to operate vulnerability scans and leverage additional toolsets to hunt for vulnerable log4j assets in the campus environment. 
  • Any findings are being shared directly with the campus unit and system owners to prioritize mitigation. 
  • As the Winter Closure approaches, to defend against the possibility of exploit during the break, any vulnerable system reported that is not acknowledged within 24hrs of notice, will be taken off the campus network. 
  • Qualys users can login to the Qualys Cloud Console and review the “Apache Log4J2” dashboard which will track any vulnerable assets based off latest scan data. 
  • Early returns on the efficacy of remote network scanning for this vulnerability is returning mixed results and Qualys has warned against the possibility of false negatives (see attached Qualys webinar deck).  
  • This situation is not unique to Qualys and is affecting multiple other reputable vulnerability management tools. 
  • Please continue to monitor Qualys’ blog on their detection for Log4Shell (https://blog.qualys.com/vulnerabilities-threat-research/2021/12/10/apache-log4j2-zero-day-exploited-in-the-wild-log4shell)  
  • Qualys is recommending Cloud Agents be deployed to gather the most effective detection data. Cloud Agents are provided free of charge as part of the VMP effort, please reach out to us at security@ucla.edu if you are interested in deploying these in any quantity to your systems. 
  • Security can corroborate this statement by Qualys, and we are seeing the most detailed results for campus areas leveraging the Qualys Cloud Agent. We recommend deploying these to any public facing server that is exposed to the Internet. 
  • Due to the above, along with the fact that application specific vulnerabilities (log4j embedded in systems like VMWare, Kronos, etc.) remain difficult to fully enumerate/test, we urge campus operators to not adopt a false sense of security by relying solely on vulnerability scan data. 
  • Many software vendors have released statements regarding the impact Log4Shell has on their product. We recommend all system/application owners to contemplate resources such as the open source lists below to determine whether their product is impacted. 

Please continue to proactively evaluate your environment for any usage of log4j and take steps to mitigate the vulnerability by patching or applying the recommended workaround. Mitigation strategies are provided in the attached Mandiant PDF and the Security team is available to provide additional assistance. Please continue to report steps you are taking to address any vulnerable log4j usage in your environment so that we can understand the overall campus impact to this event. As always, please contact us at security@ucla.edu if you have any questions. Thank you!