A vulnerability found in Apache’s logging library, Log4j, has been dubbed as one of the biggest security flaws discovered in recent years and could affect some of the world’s most popular applications and services.
What is Log4Shell?
Log4Shell is the name dubbed for the vulnerability found in in the Apache open source Java based logging tool, Log4J.
This logging software is found practically everywhere; from Enterprise products to Cloud data centres.
The vulnerability works by allowing unauthenticated remote access to servers to execute code, which is then triggered when this code is parsed and processed by Log4J.
The exploit first surfaced on Thursday when it was exploited in the wild to compromise Minecraft servers. This incident was very much the wake-up call to this vulnerability.
Since then, the severity of this threat has become a lot clearer; with all the big names in the tech industry having to work around the clock to try and close this security loophole, and reach out to their customers to advise on how best to proceed.
Some of the products/services thought to be affected include Apple iCloud, Amazon, Steam and Twitter.
How threatening is the exploit?
The vulnerability’s technical name used for tracking purposes is ‘CVE-2021-44228’ and it has a severity rating of 10/10.
As mentioned above, the first time this flaw was known to be exploited was when Minecraft servers were targeted. However, since the exploit was published because of this, the number of attacks has increased significantly (because more people now know about it).
Researchers have reported seeing this easy-to-exploit and critical vulnerability being used to exfiltrate configurations, environmental variables, install crypto-mining software and steal other potentially sensitive data from servers.
What makes this vulnerability so threatening is the following:
- The extensive amount of attacks that can be carried out
- The relative ease at which these attacks can be performed
- The fact that so many applications and services rely on Log4J
- As Log4J is used so frequently, organisations may not know where the library runs – so tracking it down will be a challenge
Why is this vulnerability important?
The ubiquitous nature of this bug means that you as company will be very lucky to avoid being affected by it. It is used in countless applications and as a result, IT professionals and system administrators are having to scramble to try and close the security loop as soon as possible.
Independent researcher, Chris Frohoff, predicts events like this will become more commonplace:
“What is almost certain is that for years people will be discovering the long tail of new vulnerable software as they think of new places to put exploit strings. This will probably be showing up in assessments and penetration tests of custom enterprise apps for a long time.”
As it is still relatively early days since the vulnerability became headline news, experts expect the worst is yet to come – with Ransomware incidents already starting to be reported.
What should you do as a business?
Firstly, as a user, there is not much you can do yourself. Other than ensuring all applications and services you use are up to date (which you may not have the ability to do), the rest is in the hands of developers and IT professionals to advise and patch the problem.
As a business, you should ensure the following is done within the company:
- If you are using Log4J, this should be updated to the latest version
- You need to find all code in your network that is written in Java and check whether it uses the Log4j library
- If you can’t do this, then you should look at implementing the workarounds detailed in Sophos’ article
- Review all IPS, WAF, firewall rules and web filtering you have in place and make they are configured appropriately to block as much malicious data from the outside as possible
Conclusion
Most security experts are considering the Log4Shell vulnerability to be one of the worst in living memory. However, the concern should not only be about how to resolve this issue now and then, but instead the lasting effect of this incident and how it might shape the future of cybersecurity, should be considered.
This exploitation may also prompt businesses and IT professionals to think more deeply about the software and services they implement in their environment. For example, should some form of audit be conducted periodically to help take stock and keep up with security protections?
if you would like further advice or information on this issue, don’t hesitate to contact us.