Security company offers Log4j 'vaccine' for systems that can't be updated immediately

For those unable to patch the Apache Log4Shell vulnerability, cybersecurity firm Cybereason has released what they called a “fix” for the 0-day exploit. Cybereason urged people to patch their systems as soon as possible, but for those who cannot update their systems or do so immediately, they have created a tool they are calling “Logout4shell.”

Log4j coverage

It is freely available on GitHub and Cybereason said it “is a relatively simple fix that requires only basic Java skills to implement.” 

“In short, the fix uses the vulnerability itself to set the flag that turns it off. Because the vulnerability is so easy to exploit and so ubiquitous—it’s one of the very few ways to close it in certain scenarios,” said Yonatan Striem-Amit, CTO of Cybereason. 

“You can permanently close the vulnerability by causing the server to save a configuration file, but that is a more difficult proposition. The simplest solution is to set up a server that will download and then run a class that changes the server’s configuration to not load things anymore.”

The “vaccine” garnered a mixed response from experts, some of whom praised the company for stepping up while others said it wasn’t nearly enough to

Read More: https://www.zdnet.com/article/security-company-offers-log4j-vaccine-for-systems-that-cant-be-updated-immediately/#ftag=RSSbaffb68