[playht_player width=”100%” height=”90px” voice=”Noah”]
Maybe you’ve heard about this thing called the Log4j Vulnerability. Let’s take a quick look at what this is and why you should care.
What is the Log4j Vulnerability?
On December 9, 2021, security researchers discovered a flaw in the code of a software library used for logging. The software library, Log4j, is built on a popular coding language, Java, that has widespread use in other software and applications used worldwide. This flaw in Log4j is estimated to be present in over 100 million instances globally.
The flaw, also known as a vulnerability by the security community, was rated a 10 out of 10 on the Common Vulnerability Scoring System, or CVSS, due to the potential impact that it can have if leveraged by attackers.
A “bad guy” can exploit this vulnerability by submitting a specially crafted request to a vulnerable system that causes that system to execute arbitrary code. The request allows the bad guy to take full control over the system. The bad guy can then steal information, launch ransomware, or conduct other malicious activity.
Why should you care?
When the initial vulnerability was made public, it was described as a zero-day (or 0day), which means it was being targeted and potentially acted upon prior to the software developers knowing that it existed. In other words, the developers had zero days to implement a fix for the vulnerability before it may have been used in an attack.
Many businesses run applications, both locally and in the cloud, that run on the underlying framework where this vulnerability lives. It is extremely prevalent, so if you are not 100% sure if any of your software platforms are not affected by the Log4j vulnerability then its best to assume you are.
As with most vulnerabilities, there will be a number of businesses that ignore the warnings and alerts. Those businesses will be easy targets.
Keep in mind that once a vulnerability is announced to the public, the bad guys will put an enormous amount of effort in capitalizing on it before the opportunity diminishes. Unfortunately, in many cases the bad guys will put more effort into attacking, than many businesses will put into protecting itself.
What should you do?
If you are running any server applications, web applications, or cloud applications, you should assess this issue. Have your internal or outsourced IT team help you with this. Also, ask your cloud vendors how this affects them and what they are doing to address it.
While you are doing this assessment, it is a great time to also assess your business continuity plans. Ensure you have recoverable backups that are not accessible to attackers. Understand how you will respond to an attack should one happen. How will you run your business if all of your technology or data is hi-jacked or stolen?
I highly recommend following the advice of Apache, which recommends immediately updating.
If you addressed this vulnerability prior to Dec. 14th, you should know that researchers also discovered vulnerabilities in the fix and released another fix. On Dec 17th, more issues were found and another fix was released. We expect this cycle to continue in the short term as security teams and researchers scramble to address this problem.
If you find that you are vulnerable, don’t just fix the problem and move on. There is a likelihood that a successful exploit of this vulnerability has already happened. The bad guys may already be in your stuff. Locking the door while the bad guy is already in the house doesn’t protect you from what is already on the inside. Therefore, you will also need to do an assessment to understand if anyone “got in while the door was open”.
If you are in a regulated industry, like healthcare, I highly recommend a documented response to provide proof that you have assessed and responded to this vulnerability. With a score of 10 out of 10 for potential impact, it will be very difficult to say you did not feel the need to at least do a risk assessment of this issue.
The Center for Internet Security has developed the following Log4j Vulnerability Response Playbook to help:
How can you stay up-to-date on the Log4j Vulnerability?
CISA, the Cybersecurity & Infrastructure Security Agency, has created a webpage dedicated to Apache Log4j Vulnerability Guidance: https://www.cisa.gov/uscert/apache-log4j-vulnerability-guidance
If you need help in assessing or addressing this vulnerability for your business or organization, you may give us a call at 704-980-8271 or contact us here. Stay safe!