Log4j vulnerabilities are impacting businesses everywhere—here’s what you need to know
On December 6, 2021, the Apache Software Foundation released an urgent update for a Log4j library to address a maximum severity vulnerability. This vulnerability, referred to as LogShell or LogJam, has wide-reaching implications for businesses of all sizes and in all sectors because of Log4j’s widespread use in the development of various applications.
Apache Log4j is not used in Field Effect products and as such, our products are not affected by these vulnerabilities. Our team has deployed new network and endpoint-based rules in Covalence to detect the presence of Log4j in other products, including the version in use, as well as malicious activity associated with this vulnerability.
Log4j’s zero-day is one of the worst cyber security vulnerabilities ever discovered. Use of the vulnerable library is widespread and easily exploitable by threat actors to take control of a system remotely.
While updates are available to address the vulnerability, it is considerably harder to manage third-party applications that use Log4j. Organizations must determine which applications may be leveraging the Log4j libraries and depend on those vendors to update and release new versions of the vulnerable applications.
Here’s what you need to know about this critical vulnerability, and what it means for your business.
What is the Log4j zero-day vulnerability?
Log4j is a widespread piece of software that can be directly used as a “logging library.” A logging library keeps a running list of what activities have been performed in an application.
The log vulnerability has been officially classified as CVE-2021-44228. To exploit it, an attacker simply needs to send some modified text to a targeted application. The application will then retrieve and execute this string of text, which will usually point to a server or malicious file controlled by the attacker. This makes LogShell/LogJam particularly easy for attackers to use, allowing them to conduct remote code execution on targeted devices and systems.
Remote code execution (RCE) refers to an attacker’s ability to access and make changes to another computer or device, running commands and programs remotely. RCE attacks are extremely dangerous because they allow attackers to take over other systems entirely, in turn severely disrupting business operations.
CVE-2021-4428 was patched in version 2.16.0. The feature causing the initial vulnerability had been disabled by default in Log4j version 2.15.0. Researchers also identified additional vulnerabilities:
- log4jCVE-2021-45046, a vulnerability in certain non-default configurations of Log4j version 2.15.0, tracked separately from LogShell/LogJam. This was also addressed by version 2.16.0.
- CVE-2021-42550, also known as Logback-1591, a lesser threat than LogShell/LogJam. Like CVE-2021-45046, it was addressed by the latest version of Log4j.
- CVE-2021-4104, an issue with JMSAppender in Log4j version 1.2.0. Version 1.2.0 reached end-of-life in 2015, and it is recommended that organizations still using it upgrade to the latest version of Log4j.
- CVE-2021-45105, a further issue related to the initial LogShell/LogJam vulnerability that could allow an attacker to cause a denial of service. This additional vulnerability has been addressed in Log4Jam version 2.17.0.
Who does this vulnerability impact?
Any organization running a product that uses an outdated version of Log4j may be affected by this vulnerability. Because of the popularity of Log4j, these unpatched systems may be at risk.
Because Log4j is used in applications everywhere—including those on macOS and iOS, Windows, and Linux—the list of potential impacts is long. Vendors who may be affected include Apple iCloud, Tencent, Steam, Twitter, Baidu, DIDI, JD, NetEase, CloudFlare, Amazon Web Services, and Atlassian, to name a few.
Of particular concern are industrial systems. It’s easy enough to apply a software patch to a workstation like a laptop, but it’s much harder to do the same with industrial equipment. For example, if you are responsible for industrial control systems, they may include remote sensors that use Log4j. These sensors may be harder to update because of how hard they are to access or due to IT limitations.
Applying critical updates throughout complex IT infrastructure is a time-consuming process, particularly in legacy systems. These systems depend on several technologies, and issues with one may cause a domino effect of failures, particularly if it’s hard to determine where code is present.
How to secure your business
The good news is that Covalence customers can rest easy knowing their systems are protected. For organizations who have not yet applied these patches, we strongly recommend following Apache’s guidance and updating to Apache Log4j version 2.17.0 immediately, as detailed in our Security Intelligence feed. We also recommend ensuring your third-party vendors are patching affected systems, as their updating process may take some time to complete.
Staying on top of critical patches and updates is vital yet challenging. Outlining the policies, procedures, and tools needed for effective patch management can provide a blueprint for keeping systems up and running, ensuring business continuity, and reducing overall security risk.
If you’re unsure of where to start with these critical updates or don’t know if your systems are at risk, don’t worry—we’ve got you covered. The team of experts at Field Effect is ready to help you enhance your security posture and protect your business. Contact us today to get started.