Log4j vulnerability: why it is dangerous and how to protect yourself

For the past few weeks, the business world has been on the alert for a vulnerability that threatens to affect far more than just information technology.

This is a critical vulnerability within a widely used open-source software development library called Log4j (or also ‘Log4Shell’) in CVE-2021-44228. Affecting Log4j versions 2.0-beta9 to 2.14.1, the flaw has the potential to cause data exfiltration and/or remote code execution on servers using this component for their logging functionality.

The real problem, which has brought Log4Shell under the global spotlight, with a huge impact, is that contrary to other major cyber attacks involving one or a limited number of softwares, Log4j is basically embedded in every Java-based product or web service. It is used directly or indirectly (via third-party code) in the world’s most popular consumer applications and business services. It is very difficult to remedy manually but, if left unchecked and removed, the RCE (Remote Code Execution) vulnerability within it can allow a cybercriminal to insert arbitrary Java code and take control of a corporate server, with all the effects we can imagine.

But why is Log4j so dangerous and how can companies protect themselves adequately?

As mentioned, the first step is visibility. The library that contains it is widely used, found in numerous Java servers. As such, it is very likely that the company itself is not immediately aware that it has a potentially explosive problem in its home. For this reason, making an inventory of one’s software assets is essential to find out whether that particular library is present, and to patch it immediately. In this case, however, caution is called for, as new versions of a particular server software may not necessarily contain the update of the specific library. IT infrastructure scanning tools are available to identify the individual points of criticality. The support of a company specialised in cybersecurity, with a clear understanding of all mechanisms and processes, is crucial here.

Another key aspect is speed. Since it is characteristically extremely widespread and difficult to identify, the Log4j vulnerability is an incredible opportunity for cyber criminals who can launch large-scale attacks targeting all organisations that have certain versions of Java, those that contain the identified vulnerability. Until this is remedied, the companies are at risk. We need tools capable of operating on a wide scale, both to analyse a large number of machines in a very short time and to update them. Large-scale remediation is needed to nip any prospect of attack by cyber criminals in the bud.

In all this, the ability of the company to analyse the infrastructure in detail, with respect to the main security paradigms, also plays a very important role. Whether the issues are known vulnerabilities, configuration inconsistencies, errors in the allocation of permissions or insufficiently clear operational processes, all of these can result in a more or less latent dangerous situation. Only recurring scanning, covering not only the vulnerabilities but also the processes, can sensitively raise the level of protection, allowing the definition and implementation of an effective remediation strategy in the event of problems. Having access to a SOC, with a continuous update of vulnerabilities and well-defined playbooks for remediation can make all the difference.

Finally, the organisations’ ability to see the bigger picture is crucial. Increasingly, the constant flow of successive installations creates distinct areas with different security situations, the so-called ‘silos’. This generates a twofold type of problem, on the one hand the lack of homogeneity in terms of business function security, which can lead to a lack of overall balance in the structure. On the other hand, the possibility for criminals to creep into the ‘grey’ areas between silos, i.e. areas that are not sufficiently guarded. This can only be successfully addressed by considering security as a whole, at organisation level. This means elevating it to the status of a strategic corporate priority and treating it accordingly, no longer as a ‘necessary evil’, but as a foundational element of the company’s business, on a par with other functions such as research and development or sales. With security considered a priority, investments in this field should be diverted to solutions and technologies that can always guarantee the best protection, with the situation constantly monitored, both in terms of infrastructure and the external threat landscape. Only a SOC, based on state-of-the-art technology and backed by up-to-date expertise, can provide companies with the level of security they need to operate with confidence.

Axitea Cyber Security Team