Summary
NetFoundry software does not use Apache Log4j. No NetFoundry product is vulnerable to the exploitation of CVE-2021-44228.
In addition, NetFoundry’s Secure by Design architecture helps mitigate the threat for systems which do use Apache Log4j.
Details of the CVE-2021-44228 Vulnerability
This CVE is a severity 10 (the highest). Any device that’s exposed to networks is potentially at risk if it’s running Apache Log4J, versions 2.0 to 2.14.1.
From NIST: Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. In previous releases (>2.10) this behavior can be mitigated by setting system property “log4j2.formatMsgNoLookups” to “true” or it can be mitigated in prior releases (<2.10) by removing the JndiLookup class from the classpath (example: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class).
NetFoundry Mitigation of CVE-2021-44228
The log4j vulnerability involved the retrieval of additional code and command and control functionality. The usual flow is to create a specially crafted log entry causing the server to download and execute additional code. With the NetFoundry solution described above, the logging server should not be able to communicate with this entity to download the additional code.
In more detail, the log4j CVE-2021-44228 mitigation was achieved by the core NetFoundry Secure by Design implementation of:
- close all inbound firewall ports
- least privileged access based on embedded strong identities
- the establishment of outbound only, authorized sessions to private Fabric routers, solely for the necessary flows for the solution.
- the elimination of vulnerable bolted-on infrastructure and dependencies (VPN, SD-WAN, MPLS-WAN, etc.)
- the simplicity of SaaS and the transparency of open source (OpenZiti) with a software-only consumption model (complexity, proprietary islands and infrastructure dependencies lead to vulnerabilities)
- supporting all use cases, e.g. app server to database, API, remote access (RDP etc.), IoT, supply chain, multicloud, etc (as compared to only supporting user to web app security, which leaves too many security holes and creates needs for bespoke solutions and complexity)
NetFoundry’s Secure by Design protection
Log4j is another example of how the methods of exploitation of vulnerabilities travel faster than patches and update procedures. Updating firewall rules and software simply is too late. Even if the vendor of a vulnerable software package quickly produces a patch, many users are left to close the barn door and clean up the mess already made by attackers exploiting the software.
However, with NetFoundry’s unique Secure by Design architecture, the barn door is always closed, proactively. In fact, most can’t even see the barn.
Inbound firewall ports are closed and IP addresses are no longer exposed. The barn door is closed – with cloud-orchestrated software. This is nearly impossible with a solution which doesn’t have NetFoundry’s architecture and components. This authenticate before connect architecture, which extends to any application without any agents or DNS changes, uses strong identities and least privileged access to minimize the attack surface and blast radius. Nobody knows where the next CVE will be – this approach therefore mitigates the risk that the CVE can be exploited from the networks.
As defined by MITRE ATT&CK, this NetFoundry Secure by Design approach acts early to disrupt the Reconnaissance and Initial Access Tactics by making targeted applications unreachable from the networks. These tactics are critical to proactively preventing breaches – for example new zero day vulnerabilities are (by definition) exploited before there are patches, and of course before orgs can apply any patches…they therefore require a Secure by Design approach. A NetFoundry Secure by Design organization has mitigated the risk by taking every measure to ensure the attack can’t reach the vulnerability to begin with. This significantly reduces the overall risk to the organization while they carry out their patching or upgrade procedures. Of course, breaches are always possible, and so the NetFoundry solution is also designed to minimize the blast radius of a successful exploit within a network and isolate it – for example, not allowing hostile software the access to ‘call home’ or spread through a network.
