Nextron Products Unaffected by Log4j Vulnerability CVE-2021-44228

by Dec 13, 2021

We have reviewed our products in order to identify services that use the vulnerable log4j library. Only Elastic Search in ASGARD Analysis Cockpit uses log4j but is NOT vulnerable. 

“Elasticsearch is not susceptible to remote code execution with this vulnerability due to our use of the Java Security Manager. Elasticsearch on JDK8 or below is susceptible to an information leak via DNS which is fixed by a simple JVM property change.”

Source: https://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476

Even older and EOL products like ASGARD v1 are not affected.

Other products don’t use JAVA or log4j.

New Lab License Feature: Audit Trail

We’re pleased to introduce a new feature for our lab license holders, with more exciting updates on the horizon. The feature, called “Audit Trail,” can be activated during a scan using the --audit-trail flag. This generates a comprehensive log file in JSON format, capturing detailed output for each module and documenting every element that THOR interacts with during a scan.

The Audit Trail feature is currently available in TechPreview version 10.7. The output format isn’t finalized yet, as it will be refined for THOR v11, but this early version allows you to explore the kinds of elements it includes. The audit trail is ideal for forensic analysts conducting manual investigations, providing a detailed record of the scan process.

We’re also developing tools to further enhance the audit trail’s utility. These tools will help transform the data for use with your preferred timeline tools and enable correlations within its contents. For example, you can analyze whether a file was created within a relevant time frame, executed shortly after, and is still running as a process.

If you have questions about these features or want to report any issues, please join our community Discord server.

About the author:

Florian Roth

Florian Roth serves as the Head of Research and Development at Nextron Systems. With a background in IT security since 2000, he has delved deep into nation-state cyber attacks since 2012. Florian has developed the THOR Scanner and actively engages with the community via his Twitter handle @cyb3rops. He has contributed to open-source projects, including 'Sigma', a generic SIEM rule format, and 'LOKI', an open-source scanner. Additionally, he has shared valuable resources like a mapping of APT groups and operations and an Antivirus Event Analysis Cheat Sheet.

Newsletter

New blog posts
(~1 email/month)

GDPR Cookie Consent with Real Cookie Banner