This blog post talks about the Log4j vulnerability, how it works, why it is critical, who it affects, and steps your business can take to reduce the risks of Log4j vulnerability exploit.

What Is The Log4j Vulnerability?

Log4j is a Java-based logging utility used for recording user activity and the behavior of applications. This is generally used by software developers to review the user activity of their applications. It is distributed free by the nonprofit Apache Software Foundation and is one of the most widely used tools for collecting information across computer networks, websites, and applications.

On the 9th of December, 2021, the Apache Software Foundation released a security advisory addressing a vulnerability (CVE-2021-44228) affecting Log4j. This vulnerability also referred to as the Log4Shell vulnerability leaves you open to remote code execution (RCE) exploit. It has been rated as a critical severity and assigned a CVSS score of 10/10. Many security professionals have called it the most critical vulnerability seen this year.

How Does The Log4j Vulnerability Work?

The Log4j vulnerability allows unauthenticated RCE, which can be used by an attacker to remotely execute any code on a machine connected to a LAN, WAN, or the Internet. The attackers can use a variety of input methods to trigger the code, which is then processed by the Log4j 2 vulnerable element.

This vulnerability has a low attack barrier and attackers can exploit it by simply typing a string of code into a window. Further, since it is a “pre-authentication”, attackers do not need to sign into a vulnerable system to gain access.

Why Does The Log4j Vulnerability Matter?

Log4j is very common among software developers but even if you are not a developer, it is very likely that you are still using it indirectly. Many open-source libraries depend on Log4j, making it fairly pervasive. Apple’s cloud computing services, Cloudflare, and Minecraft are a few of the many applications using it.

Log4j 2 is built into popular frameworks such as Apache Struts2 and others that are widely used, making many third-party applications and services vulnerable, exposing a large attack surface. Companies such as IBM, Oracle, CISCO, Google, and Amazon all run the software. Therefore, even if you are not using the software directly, it is highly likely that you are using an app, website, or service that uses it, thus rendering your systems vulnerable to attacks.

Are Hackers Exploiting The Log4j Security Flaw?

Soon after the Log4j vulnerability was made public, attackers began exploiting it in the wild. There have been reports of malware, ransomware, and other threats exploiting this vulnerability. If left unpatched, hackers can exploit the Log4j vulnerability to take over servers, applications, and devices, and infiltrate your networks.

Is The Log4j Security Flaw Patched?

Log4j 2 Version 2.15.0 was released by the Apache Foundation to address the Log4j security flaw. The Apache Foundation has also urged users to review the Apache Log4j 2 2.15.0 Announcement. On December 10, 2021, Apache released Log4j version 2.15.0 to address the CVE-2021-44228 vulnerability, and on December 13, 2021, Log4j version 2.16.0 was to address the CVE-2021-45046 vulnerability, which could be exploited to cause a denial-of-service (DOS) condition in certain configurations.

On December 19, 2021, the Apache Foundation revealed a third bug in Log4j. This vulnerability, CVE-2021-45105 rated 7.5/10 is an infinite recursion bug that was present in Log4j2 versions 2.0-alpha1 through 2.16.0. This issue is fixed in Log4j 2.17.0.

If your organization uses the Java logging library, Apache Log4j 2 between versions 2.0-beta9 and 2.14.1, it needs to upgrade to Log4j version 2.17.0 to safeguard against both of the vulnerabilities.

The Cybersecurity & Infrastructure Security Agency (CISA) additionally recommends the following steps:

• Catalog any external-facing devices that have Log4j 2 installed.

• Ensure that the security operations center is addressing each alert on the devices that fall into the category above.

• Install a web application firewall (WAF) with rules to automatically update so that your Systems Operations Center (SOC) is able to concentrate on relevant alerts. 

What Can Your Business Do To Protect Itself?

If you are a vendor of any application or service using Log4j, here’s what you need to do:

• Identify, mitigate, and update affected products using Log4j to version 2.16.0,

• Inform end-users of your products containing these vulnerabilities, and

• Urge them to immediately update the affected applications.

If you believe you may be using applications or services from impacted vendors, here’s what you can do:

• Review CISA’s GitHub repository for a list of affected vendor information,

• Apply software updates/patches as soon as they are available.

• Review the “Actions for Organizations Running Products with Log4j” section of CISA’s Log4j vulnerability guidance.

• Have your IT security team review your internal development services to check if you are categorized as an affected vendor.

•  Also, review all current services to see if there are any possible risks.

Conclusion

There is still more clarity required and security experts are continuing their investigations to discover the full scope and magnitude of the impact of the Log4j vulnerability. As the security industry continues to gain a deeper understanding of the impact of this threat, we will update you with further information as they become available.

In the meantime, if you have any concerns about any particular service or application, it is advisable to check if they have released any statements or reach out to them directly. 

If you are a Jones IT client, you can rest assured that we are already on the case, identifying impacted vendors and services and closely monitoring developments, news, and announcements to make sure that your systems are patched and secured.

If you liked the blog, please share it with your friends