Balance innovation and agility with security and compliance
risks using a 3-step process across all cloud infrastructure.
Step up business agility without compromising
security or compliance
Everything you need to become a Kubernetes expert.
Always for free!
Everything you need to know about Magalix
culture and much more
A critical vulnerability was reported in the extremely popular log4j logging framework for Java, Apache Log4j, (specifically, the 2.x branch called Log4j2). Apache Log4j is an open-source logging utility library broadly used by thousands, if not millions of apps.
Dubbed as Log4Shell, this vulnerability was initially reported through Minecraft gaming sites, which warned that threat actors could execute malicious code on servers and clients running the Java version.
The vulnerability, CVE-2021-44228, is a remote code execution vulnerability, allowing attackers to execute code on a system using the log4j2 Java library and has a severity rating of 10 out of 10, the highest and the most critical.
The Log4Shell vulnerability affects:
According to the illustration provided by Juniper Networks Researchers, here’s what the vulnerability exploits look like:
To mitigate this vulnerability in releases prior to Log4j2 (<2.16.0), you need to do one of the following:
Note that only the log4j-core JAR file is impacted by this vulnerability. Applications using only the log4j-API JAR file without the log4j-core JAR file are not impacted by this vulnerability.
More information can be found at the Apache Logging - Security website.
With Magalix Policies, there are multiple ways to discover and mitigate Log4Shell.
For those running Log4j 2.10 to 2.14.1, the environment variables LOG4J_FORMAT_MSG_NO_LOOKUPS should be set to “true”. The Magalix Platform can scan deployed Kubernetes objects and raise a violation if that environment variable isn’t being set, or is set to “false”. You can independently apply this same Policy left so that all Kubernetes objects-in-code are checked and violated before all within a feature branch.
Additionally, you can scan and prevent certain container images and tags (versions) from being applied. Magalix provides Policies that allow easy customization to block these images from entering your Cloud-native environment, within seconds, and without having to know REGO.
Mitigation is one thing, but being proactive by shifting your Policies left can prevent this issue from happening again. Magalix provides hundreds of out-of-the-box Policies and templates so that you can create and scale out your own custom rules as easily and quickly as possible.
Magalix K8s Policy packs cover CSI, MITRE ATT&CK, and PCI DSS standards. You can find more about our policies and our coverage here.
Metadescription: Learn the recommended best practices and strategies that can be adopted to secure the microservices deployed in the cloud.
Despite its many advantages over manual approaches to infrastructure configuration, IaC also creates some security challenges. Learn more here.
Learn about Kubernetes application security best practices to stay up to date and properly secure your environment.