Log4j Vulnerability: What your Business needs to know
On Thursday, December 9, 2021, a severe vulnerability was discovered that has a devastating effect on systems across the internet. The severity of this particular vulnerability is rated 10/10, the highest known to memory. This means that hackers can remotely obtain unauthorised full access to the vulnerable system with zero user interaction.
A zero-day vulnerability is a weakness within an IT system or device that has been disclosed but has not yet been patched. Zero-day vulnerabilities are discovered before security researchers know their existence, meaning cybercriminals race to exploit (take advantage of) these zero-day vulnerabilities, known as a zero-day exploit. Log4j is classed as a zero-day.
What is Log4j?
Log4j is a commonly used Java logging library that has been developed by the Apache Foundation. Java is a well-known computer programming language that emerged in the 90s. Like all programming languages, Java libraries are useful pieces of code written by someone else to help the development community.
Log4j is a library that is used by developers worldwide because of its ability to keep track of what happens in software applications and cloud services, in which the data tracked is then stored in a log file. In computing, a log file is a file that contains information about activities, events, and operations that take place within a computer system or network, data that is useful to identify patterns. Hundreds of millions of devices, servers, and cloud services use this java package, which is the reason why the vulnerability found within this software is so critical.
How serious is the Log4j Vulnerability?
To put it plainly, this vulnerability is critical. The number of users for Log4j plus the potential impact of the security flaw makes this extremely high risk and extremely dangerous, giving it a vulnerability score (CVSS) of 10/10.
Who is affected by Log4j?
Everyone, including organisations and individuals, is at risk. Individuals can be affected indirectly because cyber criminals can use the security flaw to install malware (malicious code) and backdoors onto servers and other computer systems, meaning that when these types of services are impacted maliciously, many millions of users will also become affected.
Businesses should also be aware of the potential consequences if their IT systems were to be exploited because of the zero-day vulnerability: cost of incident response, harmful impact on their reputation and brand image, and other financial losses.
What is affected by the Log4j Vulnerability?
Applications that are written in Java or applications that use the log4j library are most likely to be affected, for example, Maven and Gradle, which are used in software development. Many enterprise applications, such as supply chain management systems, customer relationship management systems, and resource planning systems, are written in Java and, therefore, will be affected by this vulnerability.
The log4j vulnerability was exploited in the popular video game Minecraft, which has over 100 million active users worldwide. The vulnerability also affects major cloud services like Apple’s iCloud, Steam, AWS (amazon web services), Arista Networks and Red Hat.
IBM, a global technology and innovation company, are also vulnerable because Log4j is used by the WebSphere Application server. VMwServerortinet and CISCO are also vulnerable to CVE-2021-44228. Any device is affected if it runs log4j, version 2.0 to 2.14.1.
Some of the applications that have been affected by Log4j
VMware is a virtualization and cloud computing software provider. If you own servers, you most likely use VMware. VMware has published a list of affected systems and a workaround.
Sophos has acted quickly in patching up all affected systems. There is only one on the list that is not treated yet. Check out the list here.
Amazon Web Services (AWS)
AWS has published an update with a list of the products that are affected and if the threat is mitigated.
MongoDB is a database program that is used in various applications and particular web applications (websites). MongoDB has published a list of affected systems and released patches.
This is not a complete list and merely examples of some popular applications that are affected by Log4j. Java-based apps like WebEx, Minecraft, JetBrains IDEs Citrix, and Filezilla FTP are all vulnerable. If you are unsure whether your infrastructure is affected by the vulnerability, NCSC has published a guide that will help IT personnel to detect any unknown existence of Log4j in your systems.
Even though your organisation may be safe from this newly found threat, your supply chain might be at risk. We recommend that you seek evidence-based reassurance from your supply chain.
What can organisations do to put protective measures in place?
Review your system for the use of Log4j
Upgrade the Log4j software to 2.16.0
Check the list of the vulnerable software
Ensure that all your system software is updated
Contact software vendors
Set Web Application Firewall rules
Check for scanning activity
Review supply chain systems
Keep updated by following advice from the NCSC
How can individuals protect themselves from Log4j?
Do not ignore software updates
Keep all your devices (phones, tablets, laptops) regularly updated
Increase awareness of this vulnerability in your organisation
Ensure you have anti-virus software; attackers may use the log4j vulnerability to spread malware onto systems and devices
By following these steps, users and organisations will have the best possible chance of protecting themselves from this zero-day vulnerability. The NWCRC can provide security awareness training to organisations and individuals, which you can access by contacting us today.
This recent zero-day vulnerability can affect any organisation or individual, so you must remain alert. Follow professional advice, keep your devices regularly updated, and watch out for vulnerability patches that will be released in the coming weeks. You can also contact the NWCRC to scan your network (either remotely or by an internal assessment). Our vulnerability assessments can test your IT system configuration using the same techniques hackers use to ensure your company is not wide open to cyber-attacks.
If you are unsure about how to approach this vulnerability or do not have an IT provider, you can contact, us here.