What is Log4j?
A new vulnerability has shaken cyberspace in the last few days creating great chaos. Known to be privately reported to Apache on November 24, it was made public on December 10. As per Ars Technica, there have been over 840,000 attacks on companies since December 10 due to a vulnerability in the open-source Log4j software.
Log4shell is a critical vulnerability in Log4j, a widely used Java library for logging error messages in applications developed by the Apache Software Foundation, uncovered recently. Log4j is used worldwide across software applications and online services by enterprise applications, custom applications developed within organizations, and many cloud services.
What is the severity of log4j vulnerability?
An unauthenticated remote code execution vulnerability (CVE-2021-44228) affects Apache Log4j versions 2.0-beta9 to 2.14.1. With the upheaval created, warnings have been issued by the governments and companies have dived in to fix this serious software flaw. If left unfixed, attackers can break into systems, steal passwords and logins, extract data, and infect networks with malicious software.
Owing to the very little expertise required for Log4j vulnerability exploit, Log4shell is potentially the most severe computer vulnerability in years. In a minute more than 100 attacks are happening and 900k attacks happened in the last 4 days.
Both CISA and the U.K.’s National Cyber Security Centre have issued warnings for companies to make upgrades relating to the Log4j vulnerability.
“To be clear, this vulnerability poses a severe risk. We will only minimize potential impacts through collaborative efforts between the government and the private sector. We urge all organizations to join us in this essential effort and take action,” said Jen Easterly, Director of the US Cybersecurity and Infrastructure Security Agency (CISA).
Que Tran, head of IT for Europe and Russia at DP World, told Cyber Security Hub, “In a nutshell, it is mostly the scale of the software in use which is why it is concerning for all.”
Since Log4j is in widespread use across business applications, some organizations may not even know that they have been using it in their environment. Having noted this, Tran said that this would allow the RCE element, with attacks already underway and widespread multiple threat actors exploiting the vulnerability at scale.
Jason Rebholz, CISO at Corvus, commented, “This is a big deal and should be taken as such. Working exploit code is already public. Threat actors are already scanning the Internet for vulnerable systems. It is only a matter of time before that access is turned into other forms of malicious activity, such as deploying ransomware.”
The Log4j 2 vulnerability affecting both organization’s own application and any third-party applications an organization may be using makes it one of the most significant vulnerabilities discovered in years.
Top companies affected by log4j vulnerability?
The scale at which Log4j vulnerability is being exploited has become a ‘matter of great concern across the globe. Major global companies are facing pressure to fix what experts are calling probably the worst security vulnerability in at least 10 years and maybe longer.
Among them are Apple INC, Amazon.com INC, Cloudfare INC, IBM, Microsoft Corp’s Minecraft, Palo Alto Networks INC, and Twitter INC.
AWS, having given the details on how the flaw impacts its services, is working on patching its services that use Log4j and has released mitigations for services like CloudFront.
IBM, having confirmed that Websphere 8.5 and 9.0 are vulnerable, is “actively responding” to the Log4j vulnerability across its infrastructure and its products.
Oracle has also issued a patch for the flaw. “Due to the severity of this vulnerability and the publication of exploit code on various sites, Oracle strongly recommends that customers apply the updates provided by this Security Alert as soon as possible,” it said.
How to mitigate Apache Log4j 2 vulnerability?
Organizations are being advised to immediately take steps to mitigate the Apache Log4j 2 vulnerability.
Although fixes have been issued, they will still need to be implemented.
1. Updating to 2.16.0.
2. If Log4j is present and the library cannot be updated, customers using Log4j 2.10 to 2.14.1 may set the LOG4J_FORMAT_MSG_NO_LOOKUPS=”true” environment variable. Please remember to restart the application to force this change
It has also been recommended that endpoint detection and response software be deployed. For example, cyber security provider e2e Assure said that EDR will help to detect and potentially block post-exploitation activity. The company also suggested that organizations review and update incident response plans as appropriate.
The CISA’s recommended actions have so far included enumerating internet-facing endpoints that use Log4j, ensuring the security operations center has been actioning every alert on devices that falls into that category, and installing a web application firewall that automatically updates.