UPDATE (12/15/2021) – At least two vulnerabilities have been found in the patch (released as Log4J 2.15.0) for the Log4j vulnerability, and attackers are actively exploiting them. If you have deployed that patch (Log4J 2.15.0) researchers are urging orgs to install a new patch, released as version 2.16.0, as soon as possible to fix the vulnerability (tracked as CVE-2021-45046). Learn more here.
As you may have seen, a zero-day exploit affecting the popular Apache Log4j utility (CVE-2021-44228) was made public on December 9, 2021 that results in remote code execution (RCE). The Apache Log4j utility is a commonly used component for logging requests. On December 9, 2021, a vulnerability was reported that could allow a system running Apache Log4j version 2.14.1 or below to be compromised and allow an attacker to execute arbitrary code.
On December 10, 2021, NIST published a critical Common Vulnerabilities and Exposure alert, CVE-2021-44228. More specifically, Java Naming Directory Interface (JNDI) features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from remote servers when message lookup substitution is enabled.
Here at Cameyo, security is the core of our business and our platform. We have already mitigated this Log4j risk in our environment and are actively blocking any malicious exploit attempts. These protections are already in place within Cameyo – and there is no action required by our customers.
More importantly, because of Cameyo’s zero trust architecture and our industry-first innovations like Port Shield, Cloud Tunneling, and NoVPN, our customers were proactively protected against these Log4Shell attacks all along. Our Cameyo Port Shield technology is the first built-in security technology of its kind that automatically closes RDP and HTTP ports to the entire world, and then dynamically opens and closes them specifically to authenticated users, based on white-listed IP addresses, only when needed.
Cameyo has and continues to be at the forefront of proactively protecting against vulnerabilities and attacks aimed at remote & hybrid work. Cameyo is the only cloud-native Virtual Application Delivery (VAD) platform that was built from the ground up with a zero trust security platform at its core. Yes, Cameyo helps enable and simplify remote & hybrid work. But more importantly, and before all else, Cameyo secures remote & hybrid work.
Here are the core tenets of Cameyo’s zero trust security model:
- Device Access Control – Cameyo never trusts any device (even managed devices) because those devices can be compromised. Cameyo gives users secure access to the apps they need to be productive while providing complete isolation between devices and their organization’s network/data.
- Segmentation – Even once users are in a session, Cameyo segments that session from customers’ networks and data to ensure ongoing separation.
- Prevention of Lateral Movement – Even in the case where a device has ransomware or malware, that malware cannot reach the customer organization’s network/data, nor can malware on their systems reach the Cameyo system.
- Always-On Monitoring & Validation – Cameyo utilizes non-persistent servers, so all customer user data is wiped from the Cameyo server every time the user logs out.
- Least Privilege – With Cameyo all traffic is encrypted and apps are delivered from a secure HTML5 browser, separating the user’s device from the corporate network and eliminating the need for VPNs. Cameyo also utilizes Windows Terminal Services and temporary user profiles, ensuring users are unable to access admin privileges, settings, and files.
- Identity & Access Management – Cameyo integrates with the customer’s Single Sign-On (SSO) provider of choice, and the Multi-Factor Authentication (MFA) they have set up with their SSO applies to Cameyo.
If you’re concerned about Log4j, or if you’re looking for a more secure approach to enabling remote & hybrid work, we’d love to help. Even if you’re not currently considering Virtual Application Delivery (VAD), our security experts would be happy to discuss and provide actionable tips – just book a time here: Schedule a Demo.