The Log4j vulnerability affects everything from the cloud to developer tools and security devices. Here’s what to look for, according to the latest information.
A vulnerability in a commonly used logging platform has security experts and officials rushing to patch systems before cybercriminals are able to exploit the flaw. Also known as Log4Shell, the flaw is exposing some of the world’s most popular applications and services to attack, and the outlook hasn’t improved since the vulnerability was announced last week. Cybersecurity experts warn this vulnerability will continue to haunt the internet for the next several years.
Here are 5 important things to know about the Log4j vulnerability.
What is Apache Log4j?
Log4j is a logging library widely used by developers and programmers to take notes about what’s happening on applications and servers. The vulnerability is also being referred to as ”Log4Shell.” The name of the Java logging system where the vulnerability has been found is “log4j2”. The threat is a zero-day vulnerability, meaning hackers are taking advantage of a software security flaw that is either unknown to those who should be securing the issue or a patch or solution is not yet available to correct the vulnerability. The typical catch with zero-day vulnerabilities is the flaws are only known to bad actors, meaning the good guys have no clue about its existence and therefore have no patch to fix it.
Why is it such a big deal?
The range of impact is so broad because of the nature of the vulnerability itself. Log4j is used by a very large percentage of the Java programs developed in the last decade for both server and client applications. Java is also one of the top programming languages used by businesses. The bug makes several online systems built on Java vulnerable to zero-day attacks. If the vulnerability is exploited by bad actors, it will allow remote code execution (RCE) and bad actors to download malware via exposed servers. Since the bug affects companies and services that have millions of customers (and their data), it puts a myriad of servers and machines at risk.
When was it discovered?
The Log4j flaw first came to light on December 9, 2021.
What devices and applications are at risk?
Amazon Web Services, Microsoft, Cisco, Apple iCloud, Google Cloud and IBM have all found that at least some of their services were vulnerable, and these vendors have been rushing to issue fixes and advise customers about how best to proceed. Even widely used apps like Minecraft have been found vulnerable. An extensive list of responses from impacted organizations has been compiled here. The exact extent of the exposure is still coming into view, though.
How can you protect yourself and your organization?
The Cybersecurity & Infrastructure Security Agency’s (CISA’s) SA’s main advice main advice is to identify internet-facing devices running Log4j and upgrade them to version 2.15.0, or to apply the mitigations provided by vendors “immediately.” But it also recommends setting up alerts for probes or attacks on devices running Log4j.
CISA recommends affected entities:
• Review Apache’s Log4j Security Vulnerabilities page for additional information.
• Apply available patches immediately. See CISA’s upcoming GitHub repository for known affected products and patch information.
• Prioritize patching, starting with mission critical systems, internet-facing systems and networked servers. Then prioritize patching other affected information technology and operational technology assets.
• Until patches are applied, set log4j2.formatMsgNoLookups to true by adding -Dlog4j2.formatMsgNoLookups=true to the Java Virtual Machine command for starting your application. Note: this may impact the behavior of a system’s logging if it relies on Lookups for message formatting. Additionally, this mitigation will only work for versions 2.10 and above.
• CISA’s Binding Operational Directive (BOD) 22-01 directs federal civilian agencies to mitigate CVE-2021-44228 by December 24, 2021, as part of the Known Exploited Vulnerabilities Catalog.
• Conduct a security review to determine if there is a security concern or compromise. The log files for any services using affected Log4j versions will contain user-controlled strings.
• Consider reporting compromises immediately to CISA and the FBI.