News of a widespread security exploit within the Log4j internet software (also called Log4shell) sent IT and security teams into emergency mode earlier this week. With lots of information swirling around, BARR associates came together to compile the most important details you need to know about this software flaw.
What is Log4j?
Log4j is a free framework distributed by the Apache Software Foundation that has millions of downloads across the globe, all of which collect data from things like computer networks, apps, and websites.
“The best way to describe Log4j is a Java library used for logging error messages,” said Brett Davis, senior consultant, cyber risk advisory at BARR. “The Log4j vulnerability allows for remote code execution by input of a textbox.”
So what are the risks?
Already considered one of the most serious software flaws in recent times, the Log4j vulnerability leaves the door wide open to cybercriminals who can input code remotely on a target device. Doing this means the hacker can install malware, steal data, and even hijack the device by taking total control of it. There is also a concern criminals could install ransomware which locks systems and data until a payment is made to the hacker.
“It’s interesting because, beyond the technical risks associated with exploiting the vulnerability, the risks are exacerbated by poor asset management and dependency tracking within supporting infrastructures,” said Larry Kinkaid, senior consultant, CISO advisory. “It also reveals gaps related to third party risk management such as relationship responsibilities, lack of primary contact information, tracking the sensitivity of data and information the vendor may store or process, and how shared responsibilities are defined.”
The flaw was first discovered within Minecraft, but security experts quickly realized the vulnerability extended to every program using the Log4j library. See GitHub’s list of all the affected software here.
Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency (CISA) who has spent 20 years in various federal cybersecurity roles, released a statement saying, “To be clear, this vulnerability poses a severe risk.” In the statement, Easterly urges companies to act fast, adding, “we have limited time to take necessary steps in order to reduce the likelihood of damage.”
What can you do to protect your organization?
Here are some recommendations from Niti Jadhav, senior consultant, cyber risk advisory, on what you can do to mitigate risk:
- Identify all potentially vulnerable systems at risk.
- Upgrade devices utilizing Log4j to version 2.15.0 where possible. If not possible, apply these recommended steps.
- Apply patches from vendors as soon as they become available (e.g., AWS’s released mitigations and planned platches).
- Install and configure web application firewall (WAF) rules to focus on Log4j threat detection.
- Utilize monitoring tools to detect and log exploitation attempts.
- Utilize continuous vulnerability scanning to identify vulnerabilities in systems.
For more information on how you can fix the Log4j problem within your organization, we recommend reading this article from the Wall Street Journal.
Still have concerns, questions, or are unsure how to take steps to protect your company? Don’t hesitate to contact us.