As highlighted in our article from December 10, 2021, the Apache Log4j vulnerability is receiving considerable attention in both the public and private sectors. There are believed to be over 100 million devices and servers affected by the security breach. The software is widely used in a variety of consumer and enterprise services, websites and applications, as well as operational technology products. They say the feat is easy to imitate and install; there apparently already exist online instructions and sample code also allowing potentially malicious actors.
According to a recent statement from the Director of the Cybersecurity and Infrastructure Security Agency (CISA) of the Department of Homeland Security, there has been “active and widespread exploitation” of the identified vulnerability. This is consistent with media reports that ransomware threat actors, as well as Advanced Persistent Threat (APT) groups with ties to the governments of Iran, Turkey, North Korea and China, exploit the flaw. The CISA deemed the vulnerability critical, ordered all civilian federal agencies to “urgently correct or correct it” and to “report[ed]That non-federal partners follow suit.1 The FBI is asking that victims of Log4j report to its Internet Crime Complaint Center (IC3.gov) as much information as possible to help the FBI and CISA determine the priority for outreach.
The situation continues to develop rapidly, with Apache releasing a second Log4j Vulnerability and Common Exposures (CVE) disclosure and releasing a new update on December 13, 2021. Companies that have updated Log4j to version 2.15. 0 should immediately implement version 2.16. .0 because the previous version is no longer considered secure.
In addition, threat actors are developing new methods to escape the original mitigation techniques deployed at the network level. Companies are advised to continue to monitor the situation in the weeks and months to come as new fixes are released, both for Log4j and the applications that integrate Log4j, and as additional exploit signatures become available. for web application firewalls (WAF), intrusion detection and prevention systems (IPS / IDS), and endpoint protection software.
Log4j’s risk is not limited to a company’s own systems and networks. Businesses should look beyond their own environment to assess whether, and to what extent, their vendors and their vendors’ vendors are using the Apache Log4j library, prioritizing vendors with access to the company’s systems and data. business. Here are some initial considerations and issues that a business might explore with their suppliers (and themselves if they haven’t already):
Whether the vendor has performed a vulnerability assessment to identify if it has potentially been affected by Log4j (including the vendor’s systems and their software products or services, as well as those of their vendors);
If the supplier uses Log4j, if it has made the required patches and updates and / or implemented other recommended corrective measures to address the vulnerability of its systems and software products;
If the vendor performs daily (if not more frequent) searches of regularly updated lists of known vulnerable vendors and applications (for example, https://github.com/NCSC-NL/log4shell/tree/main/software) to identify whether the vendor is using any of these vulnerable vendors or applications;
The above questions are intended to provide businesses with considerations for themselves and conversations with vendors, as well as to assist vendors with any inquiries they may receive. Unfortunately, the types of vendors a business should consider interviewing can be quite broad; these providers can include a company’s cloud providers, software product providers, managed service providers, outsourcing providers, and virtually anyone with access to a company’s networks, systems, or data. Apparently small devices (for example, IoT devices such as network printers and cameras) may be affected by this review.
Companies should also consider engaging forensic scientists to help research and validate the answers to these questions and monitor their systems over the next few days, weeks, and months, as more is known about the pace and the characteristics of this threat. Additional fixes may be needed for Log4j and applications that use this popular library, as security researchers test the latest versions for other vulnerabilities. The review is not limited to Log4j; Security researchers, and possibly threat actors, would look to other popular open source products to test them for vulnerabilities.
As the latest developments show, the full impact of the Log4j vulnerability has yet to be determined. Organizations of all sizes and industries need to remain on their toes, vigilant in remediation, and prepared for potential exploits in their own environment and throughout their supply chains.
1 CISA has created an Apache Log4J Vulnerability Guidance web page and maintains a community-sourced GitHub repository that provides a list of publicly available information and vendor-provided notices regarding the Log4j vulnerability.