Mumbai: Almost a month ago Log4j vulnerability hit the software and IT world. Since then, this vulnerability has left software vendors, developers and security leaders in a state of uncertainty.
The new zero-day vulnerability (CVE-2021-44228) found in the very common logging system is used by most web and applications developers. Apache Log4j 2 Java Library is actually the most common logging system of today.
Since Log4j vulnerability is part of that system its impact is likely wider and deeper ranging from services to applications running on the servers. That means any hacker or group of attackers can possibly inject text into log messages or alter parameters into server logs from a remote server.
Certainly, this makes the Apache Log4j vulnerability extremely dangerous and severe for the IT world. More so, Apache Log4j is found embedded in almost every internet service, application or product of today including Twitter, Amazon Web Services, Microsoft and more.
These are enough reasons that have kept security leaders worried globally. As they continue to look for ways to fix this Log4Shell vulnerability at the earliest and that too, beyond mere patching.
For security leaders including Chief Information Officers (CIOs), Chief Information Security Officers (CISOs), and Chief Security Officers (CSOs) — it is very hard to gauge the vulnerability’s impact on the IT systems, enterprise software and infrastructure in their organisations. In fact, MITRE rated this vulnerability as critical severity, assigning it a CVSS score of 10/10.
Log4j vulnerability widespread
According to Gartner’s Senior Director Analyst, Jonathan Care, the Log4j vulnerability is extremely widespread and can affect enterprise applications, embedded systems and their sub-components.
“Most of the Java-based applications including Cisco Webex, Minecraft and FileZilla FTP are all examples of affected programs. But this is by no means an exhaustive list. The vulnerability even affects the Mars 2020 helicopter mission, Ingenuity, which makes use of Apache Log4j for event logging,” said Care.
The security community has created resources cataloguing vulnerable systems. “However, it’s important to note that these lists are constantly changing, so if a particular application or system is not included, don’t take it as assurance that it isn’t impacted,” cautioned Cared.
Further, “Exposure to this vulnerability is highly likely, and even if a particular tech stack does not use Java, security leaders should anticipate that key supplier systems — SaaS vendors, cloud hosting providers and web server providers — do,” added Care.
Dealing with vulnerability threats
Knowing the severity of Log4j vulnerability. The possibility of IT systems and infrastructure being exploited can’t be ruled out. Given this scenario, it is also important for security leaders to be aware of the threats that this vulnerability poses to their web and enterprise applications and IT systems.
“If left unpatched, attackers could use this vulnerability to take over computer servers, applications and devices, and infiltrate enterprise networks. We are already seeing reports of malware, ransomware and other automated threats actively exploiting the vulnerability,” commented Care on the threat scenario of not patching.
“The attack barrier for this vulnerability is extremely low — all it requires is an attacker typing a simple string into a chat window. The exploit is “pre-authentication,” which means an attacker does not need to sign into a vulnerable system to overcome it. In other words, expect that your web server is vulnerable,” explained Care.
Measures to identify and resolve the vulnerability
When the vulnerability is severe and critical, for security leaders identifying and resolving it becomes the top priority. “Cybersecurity leaders need to make identification and remediation of this vulnerability an absolute and immediate priority,” emphasized Care.
“Start with a detailed audit of every application, website and system within your domain of responsibility that is internet-connected or can be considered public-facing,” advised Care on how security leaders need to go about while dealing with Log4j vulnerability.
The audit should also include self-hosted installations of vendor products and cloud-based services. Security leaders should pay particular attention to systems that contain sensitive operational data, such as customer details and access credentials, according to Care.
Interestingly, the Apache Log4j vulnerability has surfaced at a time, when the organisations globally are operating with a large base of remote workers from an unsecured non-enterprise environment. That means security threats and risks are much higher for these remote employees as they operate through personal devices, routers and home networks.
While the remote workforce has been critical to organisations during the past two years of the COVID-19 pandemic. It also remains the weaker link in the entire security chain of the organisations today. And that certainly poses a big challenge for the security leaders.
Post the audit, security leaders should pay attention to remote employees and ensure that they update their personal devices and routers, which form a vital link in the security chain, according to Care.
“This will likely require a proactive, involved approach, as it is not sufficient to simply issue a list of instructions, given vulnerable routers provide a potential entry point into key enterprise applications and data repositories,” said Care.
“You’ll need the support and cooperation of the broader IT team,” Care added on how security leaders should approach when it comes to the remote workforce.
Further, Care pointed that security leaders at the same time need to invoke formal severe incident response measures in line with their organisational incident response plans.
“Since this incident merits involves all levels of the organisation, including the CEO, CIO and board of directors. Ensure you’ve briefed senior leadership and that they are prepared to respond to questions publicly,” he emphasized.
“This vulnerability and the attack patterns exploiting it are unlikely to subside for some time. So active vigilance will be important for at least the next 12 months,” concluded Care.