Table of contents
Topics on this page
Apache Log4j 2 Vulnerability
On December 9, 2021, a new critical zero-day vulnerability impacting multiple versions of the popular Apache Log4j 2 logging library was publicly disclosed that, if exploited, could result in Remote Code Execution (RCE) by logging a certain string on affected installations.
Network Security customers should enable Filter 40627, which was released in Digital Vaccine #9621, in a block and notify posture for optimal coverage. Starting with Digital Vaccines released on 12/21/2021, this filter will be enabled by default. Trend Micro recommends that you confirm the filter is enabled in your policy. Filter 40652: HTTP: Apache Log4j StrSubstitutor Denial-of-Service Vulnerability (ZDI-21-1541), which covers CVE-2021-45105, should also be enabled.
Security Bulletin: 1091
Risk level: Risk level: Low (generally tolerable level of risk)

Learn more about this vulnerability.

Learn more about Trend Micro's response to this vulnerability.

This attack is successful when the exploit is used to initiate a transfer of a malicious attack payload. In addition to filter #40627, the following techniques can disrupt that chain.

  • Geolocation filtering – Geolocation filtering can be used to reduce possible attack vectors. Geolocation filtering can block inbound and outbound connections to any specified country, which may limit the ability for attackers to exploit the environment. In cases where a business operates only in certain regions of the globe, proactively blocking other countries may be advisable. Learn more.
  • Anonymous proxies – Anonymous proxies are also an independent, configurable "region" that can be selected as part of Geolocation filtering. This will block any inbound or outbound connection to and from an anonymous proxy or anonymizer service, which can be commonly used as part of exploit attempts.
  • Domain filtering – Domain filtering can also be used to limit the attack vectors and disrupt the attack chain used to exploit this vulnerability. In this case, any outbound connection over TCP is dropped unless the domain being accessed is on a permit list. If the attacker's domain (for example, http://attacker.com) is not on the permit list, then it would be blocked by default, regardless of the IPS filter policy. Learn more.

Testing your internet-facing services

Trend Micro Research has created a quick web-based testing tool, the Trend Micro Log4j Vulnerability Tester, that can help users and administrators identify server applications that might be affected by the Log4Shell vulnerability.