At the beginning of December, a security hole was discovered in the Java-based Log4j logging feature, affecting millions of businesses, government agencies, and cloud services using this popular Apache library. Many cybersecurity experts assess the vulnerability, named Log4Shell, as one of the most critical vulnerabilities of the decade.
According to our lead consultant Ronnie Jaanhold this is a critical vulnerability that can be used to do a lot of harm. “It’s as if you were sitting in an anthill wearing a wetsuit, unaware that you actually have several tiny holes in your wetsuit. You think you’re protected and as long as the ants haven’t found a hole, you’re fine. But as soon as one ant discovers one of the holes and communicates it to the others, they start crawling in one after the other,” he explains.
To date, Google, Amazon, LinkedIn, Apple, Tesla, Twitter, and many other well-known enterprises have suffered damage because of the Log4Shell security vulnerability. According to Microsoft, cybercriminals are using Log4Shell for malicious crypto mining, identity, and bank detail theft, as well as ransomware installation.
Who is affected by the vulnerability?
All Java-based services using Apache Log4j 2 versions 2.0 to 2.14.1 are affected. Log4j 2 has been integrated into many popular frameworks, including Apache Struts 2, Solr, Druid, Flink and Swift, Tomcat.
Log4j is used by almost all the Internet services or applications we are familiar with, such as Twitter, Amazon, Microsoft and many others. Its GitHub project has 400,000 downloads.
Prompt response is required
“Nobody foresaw such a security hole. Prompt response is all the more important now. All companies and institutions whose systems are affected should be engaged in mapping and patching the vulnerability. Denying the risk could lead to the worst-case scenario, i.e. a sudden shutdown of business activity.
Through this hole, access could be gained to your corporate infrastructure. From there on, it’s a piece of cake for an attacker, business as usual – encryption, ransomware, erasing data, and so on,” explains Jaanhold.
Computer and communication networks are as vulnerable as human immune systems
There are probably a lot of similar security holes we do not know about. It is essential that people responsible for your company’s digital channels know what software is being used, appropriate prevention, detection, and protection measures are in place and a plan has been prepared for responding to vulnerabilities and attacks detected. In many cases, a company might opt to use a vulnerability scanner to keep a track of “live” vulnerabilities, as not all of them can be patched.
Should your company lack adequate competence in this field, you can use a service partner that can draw attention to and prioritize cyber security issues. “The question is not whether an attack will come but when, how well the defense has been arranged, and how prepared the company is to respond,” Jaanhold points out. “Our team has helped to analyze the situation on this issue and develop the most appropriate and cost-effective plan in several companies.”
Steps for Log4Shell countermeasures
- The first step is to check whether the e-services or digital products of your company or institution use the Java-based Log4j logging feature.
- You should also map all external devices that have Log4j 2 installed.
- The next step is to upgrade the software, either in-house or with the help of a service provider.
- If patching is not possible – consider using virtual patching.
- Many information security solution providers like Tenable, Crowdstrike, Vectra, and others have created additional functionalities for detecting this vulnerability and the cyber-attacks exploiting it.