It strikes me that the world with Log4J is bad, we cannot understate that. But looking at how it can be weaponized and exploited, it really got me thinking that many corporate servers (at least) should be immune to the flaw (or certainly have the complexity push CVSS away from a 10.0 score) if the servers have no Internet connectivity.
I am a firm believer that you need to at least zone your servers and you need to at least block them from being able to access the Internet - even via proxy - unless there is an explicit reason for that. It also goes for not allowing recursive DNS queries into the Internet because......that's a flow of data you are not controlling.
From experience, I have seen that 0.001% of servers on corporate property might need Internet access and that access must be firewalled, point-to-point, protocol-explicit.
Does anyone see a way that Log4J flaws can be weaponized and then exploited without this connectivity? Yes, it would be a Band-Aid but as a compensating control, I think it is something that should be in place anyway to give more time to test updated packages. And I do work for a corporation that is running around patching lots of things.
Another pain point I've seen and I've given people the info that this must change is having old-yet-patched versions of some software on property must change to adopt a more current version posture. The success stories in Log4J remediation are coming from those who upgrade major versions often, their patching for this has been almost painless (or as low-pain as possible). Moving from 4.x of a product to 20.x is having more of an anchor attached to it with fears that A will suffer in the CIA triad.
Patch on is still the message.....
I am a firm believer that you need to at least zone your servers and you need to at least block them from being able to access the Internet - even via proxy - unless there is an explicit reason for that. It also goes for not allowing recursive DNS queries into the Internet because......that's a flow of data you are not controlling.
From experience, I have seen that 0.001% of servers on corporate property might need Internet access and that access must be firewalled, point-to-point, protocol-explicit.
Does anyone see a way that Log4J flaws can be weaponized and then exploited without this connectivity? Yes, it would be a Band-Aid but as a compensating control, I think it is something that should be in place anyway to give more time to test updated packages. And I do work for a corporation that is running around patching lots of things.
Another pain point I've seen and I've given people the info that this must change is having old-yet-patched versions of some software on property must change to adopt a more current version posture. The success stories in Log4J remediation are coming from those who upgrade major versions often, their patching for this has been almost painless (or as low-pain as possible). Moving from 4.x of a product to 20.x is having more of an anchor attached to it with fears that A will suffer in the CIA triad.
Patch on is still the message.....