Spring4Shell: Zero-Day Vulnerability in Spring Framework

What Happened?

On March 30, 2022, we received word through our channels of a remote code execution vulnerability in Spring Framework when a Chinese-speaking researcher published a GitHub commit that contained proof-of-concept (PoC) exploit code.

This uploaded exploit targeted a zero-day vulnerability in the Spring Core module of the Spring Framework. Spring is maintained by Spring.io (a subsidiary of VMWare) and is used by many Java-based enterprise software frameworks. The vulnerability in the leaked proof-of-concept, which appeared to allow unauthenticated attackers to execute code on target systems, was exploited quickly.

What Are We Doing?

1. Actively monitoring public data streams pertaining to this situation. We are also researching with Rapid7’s research team who can confirm the zero-day vulnerability is real and provides unauthenticated remote code execution.

Proof-of-concept exploits exist, but it’s currently unclear which real-world applications use the vulnerable functionality. As of March 31, Spring has also confirmed the vulnerability and has released Spring Framework versions 5.3.18 and 5.2.20 to address it.

It affects Spring MVC and Spring WebFlux applications running on JDK 9+. As additional information becomes available, we will evaluate the feasibility of vulnerability checks, attack modules, detections, and Metasploit modules.

While Rapid7 does not have a direct detection in place for this exploit, they do have behavior- based detection mechanisms in place to alert on common follow-on attacker activity.

2. Informing our SOC Analysts of the investigation and providing them with the necessary briefings to deploy any defenses provided by our partners.

3. Reinforcing our recommendations by communicating the need for layered security and applying rock solid standards provided by public vendor neutral agencies like the Center for Internet Security. The goal of these standards is a stronger, robust layering of protective measures for our FIT clients.

What You Can Do

The vulnerability affects SpringMVC and Spring WebFlux applications running on JDK 9+. As of 10AM, EDT March 31, 2022, CVE-2022-22965 has been assigned to this vulnerability.

Spring has confirmed the zero-day vulnerability and has released Spring Framework versions 5.3.18 and 5.2.20 to address it.

https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement

Evaluate your environment for this vulnerability and patch as needed. We are big fans of the work performed by the Center for Internet Security (CIS). CIS is a nonprofit organization, formed in October 2000.

Its mission is to make the connected world a safer place by developing, validating, and promoting timely best practice solutions that help people, businesses, and governments protect themselves against pervasive cyber threats.

Spring4J would be best mitigated by applying the CIS Controls:

Control 02 – Inventory and Control of Software Assets

Actively manage (inventory, track, and correct) all software (operating systems and applications) on the network so that only authorized software is installed and can execute, and that unauthorized and unmanaged software is found and prevented from installation or execution.

Control 08 – Audit Log Management

Collect, alert, review, and retain audit logs of events that could help detect, understand, or recover from an attack.

Control 12 – Network Monitoring & Defense

Operate processes and tooling to establish and maintain comprehensive network monitoring and defense against security threats across the enterprise’s network infrastructure and user base.

If you have any questions about how to further implement these controls in your environment, FIT Cybersecurity would love to provide guidance and help you improve your security posture.

 

— The FIT Cyber Team

Serious Cybersecurity Vulnerabilities: Apache Log4j & SMA-3217

UPDATE — 12/18/21

There have been more developments in the ongoing remediation of the Log4j logging library and connected vulnerabilities.

The initial patch, version 2.15.0, that aimed to resolve the remote code execution vulnerability described in CVE-2021-44228 was found to be incomplete and led to the discovery of CVE-2021-45046. Initially thought to be a minor DoS vulnerability, CVE-2021-45046 was assigned a CVSS of 3.7. As of late yesterday, CVE-2021-45046 was elevated to a CVSS of 9 due to newly discovered attack vectors that would allow bad actors to exfiltrate data. A patch was quickly released in version 2.16.0 to remediate it.  Earlier this morning, a new flaw was identified in the patch version 2.16.0 that has required a new patch release (version 2.17.0) and a new vulnerability tracking ID of CVE-2021-45105. The identified flaw is a severe DoS vulnerability that would allow bad actors to perpetrate Denial-of-Service attacks against affected assets. CVE-2021-45105 has been assigned a CVSS of 7.5.

The risk with these vulnerabilities not only rests in active use of the Log4j library within production applications developed by your company, but also in several standard workplace applications and solutions that also utilize it. Log4j is one of the most ubiquitous logging libraries and is used in a plethora of applications and solutions. It is likely that some of the applications you use in your environment are affected and therefore vulnerable. These are called nested vulnerabilities as they stem from a utility that is used within standardly deployed applications and are dependent on patch releases from the vendor to remediate.

 

FIT’s Response:

FIT is continuing to monitor the situation closely and apply patches as they become available. FIT engineering will be reaching out as patches are released to setup emergency patching windows for FIT IT managed clients.

 

Recommendations:

If you are currently utilizing Log4j in your development or infrastructure, FIT recommends immediately applying the patch in version 2.17.0 (Java 8).

Additionally, these vulnerabilities have highlighted the importance of running a full application inventory of your environment and monitoring attack surface lists of affected applications to compare. It is critical to apply patches when available to all affected applications in your environment. The primary attack surface list in use by FIT Cybersecurity is published by Rumble and can be found here – Finding applications that use Log4J (rumble.run). It is updated daily, if not twice daily, and maintains the most complete list of applications affected by these vulnerabilities.

 

UPDATE — 12/17/21

CVE-2021-44228 & CVE-2021-45046

VMWare is starting to release patches for both vulnerabilities. Please reference this article against your environment to determine what patches are available for your infrastructure: VMSA-2021-0028.3 (vmware.com)

FIT Managed IT clients will be hearing from your engineering team as patches for your environment become available.

FIT Cloud Clients, emergency patches are being applied to your infrastructures this weekend.

Please Note: This is just the first round of patches and not everything has had a patch released yet. We anticipate this process continuing for the next few weeks at least. Depending on your environment, it is very possible you will need several emergency patching windows as more and more patches become available.

 

UPDATE —  12/16/21

We’d like to provide a status update of where we stand with the remediation efforts of the Log4j vulnerabilities (CVE-2021-44228 and CVE-2021-45046).

CVE-2021-44228

FIT Solutions’ Managed IT clients are 95% patched for on-premise assets that are affected by this vulnerability, and the last 5% are actively being worked on by the engineering team. This vulnerability scope is evolving as new applications and services are identified to be vulnerable. FIT Solutions is actively investigating and monitoring all client infrastructures to identify and address any newly discovered vulnerable systems.

CVE-2021-45046

This new vulnerability that was produced from the remediation of CVE-2021-44228 remains in the monitoring state. A few patches have been released to address this, but a majority of software and solution providers are still working on updated patches to address it. FIT Cybersecurity is actively monitoring the situation and engaging the engineering team as soon as patches become available to implement in client environments.

Updated Recommendation

FIT Cybersecurity is recommending an additional layer of protection that can assist in defending against the Log4j vulnerabilities. If it is possible in the environment, we recommend that Outbound LDAP communications be blocked on the firewall. This will not completely protect your environment from the Log4j vulnerability, but will hamper attempts by bad actors to exploit the vulnerability by utilizing LDAP. FIT Cybersecurity and FIT Solutions will continue to collaborate on monitoring the situation and remediating client environments. If you have any questions or concerns, please do not hesitate to reach out to [email protected].

 

UPDATE — 12/15/21

A new vulnerability was discovered that impacts all assets affected by the initial Log4j Vulnerability (CVE-2021-44228). This new vulnerability (CVE-2021-45046) is less severe than CVE-2021-44228 coming in with a CVSS score of 3.7 out of 10. Do not let the lower CVSS score fool you, the vulnerability is still something that requires immediate attention.

The initial patch released for Log4j will prevent an attacker from gaining complete control over an affected asset, but that same patch can be abused by attackers resulting in a denial-of-service (DoS) attack on the affected asset. These DoS attacks have the ability to take an affected asset down by flooding the asset with requests at such a volume that the asset cannot handle the load.

Currently, software and solution providers are scrambling to release new patches of their software that address this new vulnerability. Apache, the initial source of both these vulnerabilities, has released a new version of the Log4j logging library that fixes this issue. If you actively use Log4j, please make sure you update your version to 2.16.0 which resolves both vulnerabilities.

Here are some additional resources for more information on the new vulnerability CVE-2021-45046:

Apache’s Fix for Log4Shell Can Lead to DoS Attacks | Threatpost

Second Log4j Vulnerability (CVE-2021-45046) Discovered — New Patch Released (thehackernews.com)

FIT Cybersecurity and FIT Solutions Response

FIT Cybersecurity and FIT Solutions are collaborating actively to patch all FIT Solutions IT clients and advise all cybersecurity clients on next steps. As more patches become available, FIT Solutions will reach out to IT clients for emergency patching windows. It is important to note, about 90% of affected assets from FIT Managed IT clients have been patched with the initial patch or a workaround has been implemented. The remaining 10% are actively being worked on to complete patching of the initial CVE-2021-44228.

 

UPDATE — 12/14/21

Only about 30% of the software vendors impacted have released patches thus far. We urge decision-makers to approve emergency patching all week if possible as updates come out during the week. Though patching updates can be disruptive to work, the interruption would be far less than that caused by a breach. Our cybersecurity team built custom monitoring alerts to increase threat hunting while we wait for patches to be released. Our team is also trained on emergency response actions to stop the exploit from being leveraged. We are working with all our clients to strategically make plans to minimize risk to their businesses. For users of FIT Cloud, we have applied the work-around fixes to VMware while a patch is being developed to protect the Cloud infrastructure.

 

INITIAL 12/13/21

Late last week, two vulnerabilities came to light that have made large waves in the cybersecurity space. We wanted to make sure you are informed of these new and potentially dangerous vulnerabilities. FIT Solutions stands ready to assist in any way we can as we go through the remediation of these new vulnerabilities. Please do not hesitate to reach out to [email protected] with any questions or concerns you may have.

 

Apache Log4j Logging Library Vulnerability | CVE-2021-44228 | CVSS 10.0

The Apache Log4j vulnerability was released late on Friday, December 10, and has a large attack surface with potentially dangerous effects. This vulnerability allows attackers to gain complete control of affected systems. The Log4j logging library is widely used and can be found in different services from Apple, Twitter, Steam, Tesla, Elastic Search, and more. Ranking as a CVSS 10.0 out of 10, this vulnerability poses a significant threat to those that utilize or interact with the Apache Log4j Logging Library, and it is already being exploited in the wild.

This is a high criticality vulnerability and deserves your immediate attention. Recommended remediation is to immediately upgrade any direct use of the Log4j library to log4j-2.15.0.rc2. Log4j is also utilized in several tools for logging, monitoring, alerting, and dashboard solutions. This means the issue may not be that you are directly using the library, but your tools are, which would also leave you vulnerable. In these instances, update your tools to the latest version and monitor their publishers’ releases to ensure you update to the release meant to fix CVE-2021-44228.

Log4j is also a dependency in large number of applications for business and personal use. In these circumstances, we must wait for the application provider to update the Log4j library. With the intense scrutiny and attention this vulnerability has received, we anticipate patching within the next couple days if the issue has not been patched already.

If you are not sure if you or one of the tools you utilize use Log4j, Huntress has come out with a utility to check if you are vulnerable – Huntress – Log4Shell Tester

Here are some additional resources for CVE-2021-44228:

Critical RCE Vulnerability: log4j – CVE-2021-44228 (huntress.com)

Security warning: New zero-day in the Log4j Java library is already being exploited | ZDNet

NVD – CVE-2021-44228 (nist.gov)

 

SMA-3217 – SMA100 Unauthenticated Stack-based Buffer Overflow| CVE-2021-20038 | CVSS 9.8

The Unauthenticated Stack-based Buffer Overflow vulnerability is significant but in much smaller scope than the Log4j vulnerability. Affecting SMA 100 series appliances, this vulnerability can allow an unauthenticated attacker to execute commands as the nobody user, giving complete control of the device to the attacker.

Currently, there are no reports of this vulnerability being exploited in the wild, but it still warrants patching if you utilize any of these appliances. A patch has already been deployed by SonicWall and is readily available to all organizations that utilize these appliances. Our remediation recommendation is to immediately apply this patch to all affected SMA appliances.

Here are some more resources for CVE-2021-20038:

Security Advisory (sonicwall.com)

NVD – CVE-2021-20038 (nist.gov)

Patch Now: Sonicwall Fixes Multiple Vulnerabilities in SMA 100 Devices | Rapid7 Blog

FIT Cybersecurity & FIT Solutions Response

FIT Cybersecurity already has monitoring deployed to watch for Log4j exploitation attempts and is closely monitoring all logs for evidence of these attempts on our clients. We are collaborating with the engineering teams for FIT Solutions customers to ensure any available patches are applied to your environment immediately.

We are ready to assist and answer any questions you may have concerning these vulnerabilities.

Idea Fest 2021

It’s that time again! We recently hosted our fourth annual Idea Fest, a Shark Tank-style forum where employees present their ideas for company improvement. Presentations may focus on streamlining a particular job or task, better emulating our core values, improving the company’s bottom line, or enhancing the service we provide to our clients and partners. Instead of just identifying problems or areas that could be improved, Idea Fest focuses on solutions; presenters are expected to include a plan for implementation. We have two prizes: a $50 gift card for the best idea, and another $50 gift card for the best presentation.

Each presenter has 5-10 minutes to explain their idea, followed by a brief Q&A session with the rest of the team. At the close of Idea Fest, all attendees vote on their favorite idea and presentation, and the management team meets later to organize execution of the ideas.

This year, we had three presenters:

  • Natasha Herrera, our COO, outlined a Road Trip system for updating employees on recent company updates
  • Josh Insel, IT Engineer from Team 4, won Best Idea for his proposal of a longevity bonus
  • Rachel Roybal, our HR Director, won Best Presentation with her idea to create a “FIT Kit” welcome package for new hires

Best Idea: Longevity Bonus

Technology has the highest turnover rate of U.S. industries, so employee retention is a huge focus for most businesses. We are always looking for ways to make sure that we are providing a stable workplace with both room and support for growth. Idea Fest is one of those ways; it allows team members to share their innovations and ideas so we can all grow together.

Josh’s idea was to provide an extra incentive as a thank you to long-term employees; every additional year an employee sticks with the FIT family, they are eligible for a bonus that increases with their tenure. Color us (not at all) surprised: everybody loved this idea!

Best Presentation: New Hire Welcome Package

Keeping with the theme of employee retention and happiness, our HR Director Rachel suggested a “FIT Kit” to be sent to new hires before their start date. Especially while the bulk of the company is working remotely, a welcome kit is a great way to showcase FIT culture and help new team members get a feel for who we are.

The proposed kit would include a note from our CEO, employee testimonials, our core values, and of course, some FIT swag! One of our core values is to create a Raving Fan culture, both internally and externally, and we loved this idea on how to create raving fans out of our new hires! A big part of our team growth has been through employee referrals, underscoring the appropriateness of the Walt Disney quote Rachel used to kick off her presentation: “Do what you do so well that they will want to see it again and again and bring their friend.”

We’re stoked to see how the FIT Kit turns out!

Runner-Up: Virtual “Road Trip”

Natasha, our COO, tied with Rachel for Best Presentation. She pitched a virtual “Company Road Trip” idea. The road trip would be set up as an online presentation of company changes and updates over the previous quarter: new hires, internal job openings, new technology or applications we’re using, exciting new goals, an update on company growth, etc.

It would also include a “road closures” list: anything that is changing or being streamlined. Teams or departments could choose to complete the road trip together, or individually. After completion, employees qualify for souvenir swag.

A central figure in this road trip idea was Fitzgerald, or Fitzy, Natasha’s proposed new mascot for internal FIT functions. We enjoyed meeting Fitzy 1.0 and who knows, maybe we’ll see him again on some FIT swag!

We love that our team is constantly looking for ways to help us improve and move forward! That innovation is one of our core values, and Idea Fest is the perfect showcase for that creativity. Thanks for tuning in!

If you want to join a fast-growing team that thrives on ideas, team input, and raving fan culture, we’d love to talk to you! Head over to our Careers page to see if we’ve got an opening that suits you.

Measuring KPIs: Do Your Actions Align With Your Vision?

From the FIT Leadership Team

We always strive to be fair, both to our clients and to our employees, and to create the best environment in which to work. We also strongly believe in bringing what makes this team wonderful to more businesses without compromising on quality. To accomplish that, we need to grow—both in quantity and quality.

As some of our most senior employees will tell you, FIT Solutions has always been on a growth trajectory. From our ‘garage-operation’ days until now, we’ve consistently looked for ways to grow and improve. There is no point where you have nothing left to learn or improve, so as the leadership team, we try to set an example of taking in knowledge, seeking out counsel and coaching, and holding ourselves to a higher standard every day.

As part of that constant refinement process, over the last year we’ve put increased focus on strengthening the foundation of our organization: our vision, our mission, and our core values. These make us who we are as a company, shape our team, and define more clearly our passion for solving business problems for our clients. Having the entire team on the same page when it comes to where we’re headed and how we plan to get there has been of immeasurable value.

With growth, though, often comes growing pains. We do our best to take these as the positive indicators they are of movement in the right direction. One of our core values is to stay humble and adaptable. The humility is essential to recognize where we have room for improvement, and the adaptability is vital to survive and thrive in an ever-evolving technological landscape. Those qualities are what move us to seek out opportunities to better ourselves as leaders, as partners, and as problem-solvers.

Over the past few months, we’ve been examining how we track and achieve goals within our organization. Exercising that core value of humility helped us to identify the need for an adjustment.

As humans, what we believe in and what we care about don’t always align with our behavior. For example, we may be interested in being healthy, and we may believe strongly that being fit or exercising regularly is important for good health—but are we acting in harmony with that belief? Do we take regular, methodical action to improve our diet or exercise routine? This is not always the case.

Similarly, the things we believe in at FIT—growth, adapting, creating the best environment—are not always evidenced by our actions. To be clear, we’re not talking about our team! We love our people and are very proud of everything they do. Rather, what we’re discussing here is a commitment by us, as the leadership team, to align our actions more closely with our vision.

Successful sports teams are often spoke of as being “tight”: operating like clockwork, moving efficiently and effectively, not wasting time or energy on actions that don’t align with the ultimate goal of winning. A team gets “tight” when its coach sets clear expectations and motivates his players to meet and exceed these goals. Why are the best athletes drawn to such a coach? Because through that guidance, players are able to achieve far more than they thought possible. A great coach helps athletes refine their skills and makes a workable environment for improvement and success.

Setting clear expectations and goals for our team members dignifies each individual and allows for constructive conversation. We encourage each employee to make a habit of regularly writing down their goals—personal, professional, and financial—and discussing these with their team lead in 1×1 meetings to see how FIT can help them reach those goals.

In line with this, we are introducing new KPIs, or key performance indicators, for each department and team. We already have some KPIs in place, but they are not always closely aligned with our vision and with the specific goals of each department. Returning to our sports example, the entire team may follow a common workout regimen. But if the quarterback’s goal is to get more touchdowns, and we know that running sprints gives him an edge on the field, then having him run sprints is in harmony with that goal. At first it may feel uncomfortable or difficult, but with practice, it becomes habit, improving his on-field performance.

At the end of the day, our ultimate goal is to do right by the people that depend on us—our clients and partners, our employees and their families, and our clients’ employees and families. In everything we do, we keep in mind the responsibility that we have towards this multitude of people.

If you are looking for an elite IT partner that is committed to catapulting your business to success, give us a call today at 888-339-5694.

How to Quickly — and Securely — Enable Work-From-Home

In response to current events, your business may be faced with the challenge of quickly putting a work-from-home program in place for your employees. Here’s the hard part: those employees will be largely on their own, with varying degrees of technical knowledge, connecting from their own home networks and accessing corporate data and resources. You need not only to get them connected, but equip them to work productively, with ample security in place so you don’t put your organization at unnecessary risk.

Considering the Alternatives

The best-practices approach — under normal circumstances — is to distribute preconfigured corporate-owned laptops. Aside from the expense, time might be the bigger issue in our current situation as businesses everywhere are rushing to equip remote workforces. Currently, the time from order to delivery of new laptops is around 15-30 days, for some suppliers.

A tempting short-term fix is to allow employees to connect to corporate resources directly using their own personal home computers, laptops, or tablets. However, this exposes corporate assets to a wide variety of risks that are outside of your control. These risks include outdated or insufficient endpoint protection, access of confidential data by others in employee households, and rogue devices on a poorly secured home network — among other threats.

The Right Technology, Right Now: Virtual Desktop Infrastructure

Virtual Desktop Infrastructure (VDI) is a widely used remote access approach with many advantages. With VDI, employees use their personal devices to access a virtual desktop — a computer that they control remotely. They view the screen, and control it via mouse or keyboard. The approach is much less expensive than provisioning and distributing laptops, and far more secure than a direct connection. With VDI, business owners can:

  • Provision remote access for tens or hundreds of users cost-effectively with a cloud-hosted solution
  • Allow secure access by a wide range of employees’ personal devices, from home PCs to laptops and tablets to smartphones
  • Tightly control access by combining standard login credentials with multi-factor authentication (MFA) to guard against weak or compromised passwords
  • Keep corporate data off of personal or public networks — the corporate data only appears superficially onscreen, and never actually enters or is stored on the user’s personal device
  • Provide a familiar environment and business access —the virtual desktop can be configured to look and behave exactly like an office-based system, with access to all corporate applications and data stores, productivity, email and collaboration software

At FIT Solutions, we can quickly set up a VDI for your employee remote access. It is housed in our data center in a private cloud, with all essential security measures provided. We connect the virtual desktops to any applications or data you need, whether those are in another public or private cloud, or in your own data center with access protected through a secure point-to-point VPN.

Have questions? We have the answers. For more information or to get started right away, give us a call at 888-339-5694. We’re also offering a free Remote Workforce Readiness assessment, which you can find here.

Get in touch.

Fill out the form and our team will get
back to you as soon as we can!