Threat Prevention "ET EXPLOIT [Possible] Apache log4j RCE Attempt" signatures added to ET OPEN

Currently reading
Threat Prevention "ET EXPLOIT [Possible] Apache log4j RCE Attempt" signatures added to ET OPEN

fredbert

Moderator
NAS Support
Subscriber
5,122
2,072
NAS
DS1520+, DS218+, DS215j
Router
  1. RT2600ac
  2. MR2200ac
  3. RT6600ax
  4. WRX560
Operating system
  1. macOS
Mobile operating system
  1. iOS
I've started to see Threat Prevention events and alerts flagged as relating to the new Apache log4j exploit. The 20 new ET OPEN rules are defaulted to drop:

1639388091447.png

If you haven't enabled rules for "Attempted Administrator Privilege Gain" then it would be sensible to enable them now.

1639388747944.png
 
I also found some new 'Alert' signatures in "Misc activity" Low. I'm of the opinion that Low facilitiates High, so I've set these to Deny too.

1639394622085.png


Previously I have already set any 'Scan' signature to Deny along with signatures for low reputation IPs, and similar. There's no reason why these would be needing to access my IP address.
 
Last edited:
It's all triggered in SRM's Threat prevention on 'tickles' coming from the Internet. I'd rather have these blocked before they reach the NAS. And just in case there is any issue when using Apache as a backend in Web Station.

addendum...

Plus people may be port forwarding to non-Synology servers that could be affected. That's also why I posted this information in the SRM area.
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Back
Top