In early December, the world learned about a critical flaw in Log4j (dubbed Log4Shell), which is a logging library used in millions of Java-based applications: social media, music/video streaming services, Amazon, Acrobat Reader, Google Earth, etc. (the list goes on—and on).
After attackers discovered the flaw, they started doing what they do best: exploiting it.
Because Log4j is part of the Apache Logging Services, a project of the Apache Software Foundation, Apache released details about the vulnerability on Dec. 8, 2021, along with an advisory and fix for the issue with the release of Log4j 2.15.0.
We reached out to NSCA Business Accelerator Defendify, an all-in-one cybersecurity SaaS platform designed for integrators, to get its thoughts on the Log4j vulnerability and its impact on the industry. Here’s what Defendify’s Shanna Utgard, senior cybersecurity advocate, had to say.
Q: What is Log4j/Log4Shell?
A: Log4j is a popular, open-source, Java-based data logging tool that is widely used in many applications, including websites, technology products, and services across the internet. Log4Shell (CVE-2021-44228) is a zero-day vulnerability that impacts systems using Log4j 2.0-beta9 up to version 2.14.1.
It’s reported that cyber attackers are targeting organizations that have vulnerable systems (and there are many). If successful, it may allow attackers to perform remote code execution, implant malware, collect passwords, log keystrokes, exfiltrate sensitive data, place cryptocurrency miners, and/or deliver ransomware.
Q: How bad is Log4j/Log4Shell?
A: Using the CVSS scoring methodology (Common Vulnerability Scoring System, an open framework for communicating the characteristics and severity of software vulnerabilities), this vulnerability scores the highest possible rating of 10.0 (critical).
The attack complexity is low and does not require privileges or user interaction. It also has high impact levels. Repeatedly dubbed one of the biggest known vulnerabilities, it’s estimated to affect hundreds of millions of devices; however, the true extent of exposure to this vulnerability is unknown. Due to dependencies, it may be deeply embedded in your technology stack.
Q: What steps should systems integrators take now?
A: There are several steps to take, but here some key ones to start:
- Work to discover vulnerable applications. You can do this by running external and internal network vulnerability scanning to assist in identifying any assets that use Log4j.
- Check affected third-party and vendor products within the CISA Vendor Database and identify solutions that might impact you.
- Update affected assets to the most recent version of Log4j. Sign up for notifications and continue to monitor new update releases and recommendations.
- Version 2.15.0 was released on Dec. 6, 2021, to address the remote code execution via CVE-2021-44228; however, new vulnerabilities were subsequently discovered.
- CVE-2021-45046 was addressed and patched on Dec. 13 with version 2.16.0.
- The most recent update, version 2.17.0 on Dec. 17, remedied another vulnerability: CVE-2021-45105.
- If patching is not possible, then consider isolating affected assets and performing additional mitigation steps or workarounds. Learn more by visiting CISA’s vulnerability guidance page.
- As patches are released, fully update all apps and products promptly.
- Closely monitor all network logs (endpoint, network, firewall, IPS, cloud, WAF) for suspicious activity, including suspicious outbound traffic and connections.
- Review your cybersecurity insurance coverage and incident response plan.
Additional Log4j Resources
- National Vulnerability Database Information
- Fixes in versions of Apache Log4j 2
- Center for Internet Security Log4j Zero-Day Vulnerability Response Guide (includes a helpful flow chart and incident response playbook)