Support Center > Search Results > SecureKnowledge Details
Endpoint protection and detection of the Log4j vulnerability Technical Level

On December 9th, an acute remote code execution (RCE) vulnerability was reported in the Apache logging package Log4j 2 versions 2.14.1 and below (CVE-2021-44228). Apache Log4j is the most popular java logging library with over 400,000 downloads from its GitHub project. The Log4j library is embedded in almost every Internet service or application we are familiar with, including Twitter, Amazon, Microsoft, Minecraft and more.

Exploiting this vulnerability is simple and allows threat actors to control java-based web servers and launch remote code execution attacks.  

This SK describes the measures and actions taken by Check Point to protect your Endpoints against the Log4j vulnerability.

Measures applied on your endpoints automatically

Check Point provides several Behavioral Guard signatures to detect and prevent your endpoints from attacks that use the log4j vulnerability. These signatures apply to both Windows and Linux endpoints. Specifically these Behavioral Guard Signatures are available:

Windows Signature Name Linux Signature Name Signature Description Exploit_Linux_CVE-2021-4228_B This signature is detecting Log4j exploit/scanners/tools by checking outbound HTTP connection
Miner.Win.StealthLoader.A Trojan-Downloader_Linux_SuspectJavaExploit_B This signature detect some common post-exploitation activities observed by the malware, such as downloading a miner that uses XMrig or similar

Check Point constantly develops additional Behavioral Guard signatures, these signatures are updated automatically on your endpoints as more information is being collected on the Log4j vulnerability and the attacks that use this exploit.

Measures you can take to detect and protect against the Log4j vulnerability

Firewall Rules

It is a good practice to block unnecessary outbound connections on your endpoint firewall.
To block the Log4j vulnerability from accessing an LDAP server, block outbound LDAP traffic.
Make sure the firewall rules does not allow outgoing traffic on LDAP port - 389/TCP

For information about managing the firewall blade, refer to sk164253

Detection of the log4j vulnerability on your endpoints

Check Point offers a tool to help you determine if your endpoints are vulnerable. The tool uses the Push Operation technology to scan endpoint of your entire organization, and present a clear picture regarding the endpoints that might be vulnerable. 

For information about the Log4j vulnerability detection, refer to sk176951
This solution has been verified for the specific scenario, described by the combination of Product, Version and Symptoms. It may not work in other scenarios.

Give us Feedback
Please rate this document