If you have heard about the Apache Log4j threat or the Log4Shell threat you already know how serious this is. Log4j is a widely used Java library that logs error messages in applications.
If you are not aware of this threat, please note it is being labeled as one of the most dangerous cyber threats of all time. A great deal of the Internet, from Amazon’s cloud to connected TVs, is riddled with the log4j vulnerability and has been for years.
What is Log4j?
According to the Cybersecurity & Infrastructure Security Agency, “Log4j is very broadly used in a variety of consumer and enterprise services, websites, and applications—as well as in operational technology products—to log security and performance information. An unauthenticated remote actor could exploit this vulnerability to take control of an affected system.” The log4j code is used by tens of thousands of software packages and projects across the software industry. It helps software applications keep track of their past activities. It’s free and very popular.
The Log4j Threat
Perhaps the most dangerous vulnerabilities concern is multiple threat actors, including nation-backed hackers such as China, Iran, North Korea, and Turkey. In addition, the Conti ransomware gang is also involved in malicious activities. If that doesn’t make you stand up and take notice, the Belgian Ministry of Defence confirmed its network had been attacked. It is almost a sure bet that other government networks are being approached by hackers.
Who Is Vulnerable?
Log4j code is present in some technology vendors like Cisco, IBM, and VMware. The vulnerability has been used by hackers since the beginning of December, but when Apache announced its existence on December 17, 2021, the attacks increased dramatically. Microsoft reported that “attackers have exploited the flaw to install crypto miners on vulnerable systems, steal system credentials, burrow deeper within compromised networks, and steal data.”
It has affected hundreds of millions of devices and experts predict its vulnerability will haunt the internet for years. In addition to the tech giants mentioned above, Amazon Web services, Microsoft, and Google Cloud have all identified their vulnerable services. And that is just a handful of organizations affected. Thankfully, these three have quickly worked to fix their issues. Google has assigned 500 plus engineers to make sure their code is safe.
A good example of why this is such a big deal was presented by The Washington Post. “The fact that Log4j is such a ubiquitous piece of software is what makes this such a big deal. Imagine if a common type of lock used by millions of people to keep their doors shut was suddenly discovered to be ineffective. Switching a single lock for a new one is easy but finding all the millions of buildings that have that defective lock would take time and an immense amount of work.”
A list of software identified with vulnerability can be seen here.
The Cybersecurity & Infrastructure Security Agency (CISA) states that Apache did the following:
- On December 10, 2021, Apache released Log4j 2.15.0 for Java 8 users to address a remote code execution (RCE) vulnerability—CVE-2021-44228.
- On December 13, 2021, Apache released Log4j 2.12.2 for Java 7 users and Log4j 2.16.0 for Java 8 users to address an RCE vulnerability—CVE-2021-45046.
- (Updated December 18, 2021) On December 17, 2021, Apache released Log4j 2.17.0 for Java 8 users to address a denial-of-service (DOS) vulnerability—CVE-2021-45105.
CISA suggests all organizations monitor the Apache Log4j Security Vulnerabilities webpage to stay current on updates, fixes, and next steps.
Who Should be Concerned?
The easy answer is everyone. Specifically, all organizations that have the Log4j code in their programs. That includes manufacturers of medical devices which the FDA warned could be compromised and possibly malfunction. Hospitals are also scrambling to identify their vulnerabilities and attempting to mitigate their risks.
On December 17, 2021, CISA issued Emergency Directive (ED) 22-02: Mitigate Apache Log4j Vulnerability directing federal civilian executive branch agencies to address Log4j vulnerabilities—most notably, CVE-2021-44228. The Emergency Directive requires agencies to implement additional mitigation measures for vulnerable products where patches are not currently available and requires agencies to patch vulnerable internet-facing assets immediately, thereby superseding the broader deadline in BOD 22-01 for internet-facing technologies. (https://tinyurl.com/y62374co)
Obviously, the first thing you need to do is identify if your organization is at risk. One way to do this is by reviewing Apache’s Log4j Security Vulnerabilities page. If it is, apply any available patches immediately. Continuously check for CISA updates and follow their recommendations. Stay informed.
Speaking of staying informed, as updates roll out regarding the Log4j vulnerabilities and patches you can check back here to check on what is happening.