Log4J - The Single Biggest, Most Critical Vulnerability Of The Last Decade

You need to presume you've been compromised and act quickly.

What is Log4j?

Log4j, a Java library for logging error messages in applications, is used in enterprise software applications, including those custom applications developed by companies in-house, and is part of many cloud computing services.

What is the Problem?

A flaw has been identified in Log4j which has led to the most high-profile security vulnerability on the internet. It comes with a severity score of 10 out of 10. 

The Log4j library is frequently used in enterprise Java software and is included in Apache frameworks including Apache Struts2, Apache Solr, Apache Druid, Apache Flink and Apache Swift. 

Since Log4j is so widely used, the vulnerability will affect a wide range of software and services from many major vendors, including (but not limited to) AWS, Broadcom, Cisco, IBM and VMware. Experts say the extreme ease with which the vulnerability allows an attacker to access a web server - no password required - is what makes it so dangerous.

It is almost certain that it will affect something in your technology stack. And while major vendors are rushing to release patches, cybercriminals are using it to exploit the vulnerabilities. Millions of servers have installed it, and experts have said the impact could last for years but the problem is very real right now. One security company has said over 40 percent of corporate networks have been targeted.

What Should I Do?

Cybersecurity and Infrastructure Security Agency's main advice is to identify internet-facing devices running Log4j and upgrade them to version 2.16.0, or to apply the mitigations provided by vendors immediately" It also recommends setting up alerts for probes or attacks on devices running Log4j.

It is important to note that the original guidance to upgrade to 2.15.0 has been superseded as that version was vulnerable to DDOS attack. So even if you think you have addressed the risk you will need to go back and check that there are not more updates.

Part of the challenge is identifying software harbouring the Log4j vulnerability. The Netherlands's National Cyber Security Centrum (NCSC) has posted a comprehensive and sourced A-Z list on GitHub of all affected products which can be found here https://github.com/NCSC-NL/log4shell. It has broken the categories down into vulnerable, not vulnerable, under investigation, or where a fix is available. This list illustrates how widespread the vulnerability is, developer services, covering cloud services, security devices, mapping services and more.

However, patching systems could be a complicated task. While most organizations and cloud providers, such as Amazon Web Services, should easily update their web servers, the same Apache software is often embedded in third-party programs that can only be updated by their owners.

Where Can I Find Help?

If you are concerned about the Log4j flaw, need help to identify your potential risk and mitigate them, contact Rose It Solutions. Our team will be happy to assist.

See a couple of Webcast from our Partners discussing the Vulnerability