As you might know, on December the 9th 2021 Apache foundation revealed a severe security vulnerability in the Apache Log4j software. The found vulnerability could be used to execute malicious code on servers. The risk only applies to machines with an open connection to the Internet. Servers that are protected by additional security measures (like firewalls, air-gaps, etc.) are most likely not targets for this attack.
Like numerous other software development companies, INDICA also uses Apache Log4j in some of its software components. Since Friday the 10th of December, the INDICA DevOps team has been very busy investigating the extent to which the INDICA software has been influenced by this vulnerability. We would like to assure you that within INDICA, Apache Log4j does not have the capability to reach the outside world, due to the way INDICA is configured and the security measures taken within the INDICA environment.
Even though the configuration and security measures protect the appliance - to be extra safe - we have also developed a patch to make sure that the vulnerability is rooted out entirely. This patch is attached to this article. We strongly recommend applying this patch as soon as possible in order to mitigate the potential risks and to investigate whether there was an (attempt to) attack aimed at the INDICA server.
Please follow the instructions below to apply the patch:
1. Dowload the detector python script from https://github.com/Neo23x0/log4shell-detector/blob/main/log4shell-detector.py (big thanks to Florian Roth!)
2. Copy the provided files "log4j_patch.sh" and "log4shell-detector.py" to the INDICA server and place the files in the folder "/net/bin/".
This can be done using scp, winscp, or a similar tool.
3. Open an SSH session and acquire root-rights
4. Run the following commands on the server:
fromdos /net/bin/log4j_patch.sh
fromdos /net/bin/log4shell-detector.py
chmod +x /net/bin/log4j_patch.sh
5. Run the provided script:
/net/bin/log4j_patch.sh
After applying the patch, the script will ask if it should check for traces of this exploit being used on the system.
It is highly advised to run the check as well. This can take some time to complete.
In case the check yields no results, it is highly unlikely that any malicious activity took place on the server. No further action on your part is required.
In case the check does find traces of malicious activity, it is advised to contact INDICA.
For additional information and/or assistance with these steps, it is possible to contact INDICA support.
For more information about the vulnerability, please refer to https://www.cve.org/CVERecord?id=CVE-2021-44228 (EN) and https://www.ncsc.nl/actueel/nieuws/2021/december/12/kwetsbare-log4j-applicaties-en-te-nemen-stappen (NL)
For a list of vulnerable software, please refer to https://github.com/NCSC-NL/log4shell/tree/main/software