Organizations are being advised to immediately take steps to mitigate the Apache Log4J 2 vulnerability that has been uncovered recently.
The vulnerability affects the Log4j 2 open-source logging library developed by the Apache Software Foundation and is used by enterprise applications, custom applications developed within organizations and many cloud services.
While the vulnerability was made public on 10 December it is understood that it was first privately reported to Apache on 24 November. A lot of time has passed already for this vulnerability to be exploited.
“To be clear, this vulnerability poses a severe risk. We will only minimize potential impacts through collaborative efforts between government and the private sector. We urge all organizations to join us in this essential effort and take action,” said Jen Easterly, Director of the US Cybersecurity and Infrastructure Security Agency (CISA).
The vulnerabilities a could allow a threat actor full control of an affected server through remote code execution (RCE).
Systems and services that are being affected are these that use the Java logging library Apache Log4j between versions 2.0 and 2.14.1.
The real deal
Many are reporting that this may be one of the most significant vulnerabilities discovered in years because it affects both organization’s own application and any third-party applications an organization may be using.
Que Tran, head of IT for Europe and Russia at DP World, told Cyber Security Hub, “In nutshell, it is mostly the scale of the software in use which is why it is concerning for all.”
Tran noted that because Log4j was in widespread use across a large swathe of business applications some organizations may not even know that they have been using it in their environment.
This, he said, would allow the RCE element, with attacks already underway and widespread multiple threat actors exploiting the vulnerability at scale.
Jason Rebholz, CISO at Corvus, commented, “This is a big deal and should be taken as such. Working exploit code is already public. Threat actors are already scanning the Internet for vulnerable systems. It is only a matter of time before that access is turned into other forms of malicious activity, such as deploying ransomware.”
Patching the problem
Government agencies and cyber security vendors have been recommending a series of urgent actions since the Apache Log4J 2 vulnerability was uncovered.
Patches are one solution that many have been turning to as they allow software operating systems to update and address vulnerabilities within a program or product, with the key advice being to only download software updates from trusted vendors.
The reason for patching has been related to threat actors front loading their exploitation efforts in order to take advantages of an unpatched window of opportunity.
Tony Lee, VP, Global Services Technical Operations at BlackBerry told Cyber Security Hub that, while people may be patching, they may not be investigating to see if they had already been breached.
[inlinead-1]
“There is a potential that this vulnerability has existed for a long time before it was reported,” Lee commented. “Some IT admins have a false sense of security after they patch, not realizing the damage has been done.”
Recommended actions
It has also been recommended that endpoint detection and response software is deployed. For example, cyber security provider e2e-assure said that EDR will help to detect and potentially block post-exploitation activity.
The company also suggested that organizations review and update incident response plans as appropriate.
“Given the potential impact and ease of exploitation it is plausible that these might be needed until more comprehensive vendor software patches are released,” e2e-assure said in a statement.
The CISA’s recommended actions have so far included enumerating internet-facing endpoints that use Log4j, ensuring the security operations center has been actioning every alert on devices that falls into that category and installing a web application firewall which automatically updates.
Of course, there is also the Apache Software Foundation’s own support posts that provide advice on mitigating the vulnerability.
Other resources of use include the National Cyber Security Centrum’s (NCSC-NL) list of software it has been tracking which discloses the status of each with regards to the Log4j 2 vulnerability.