In December 2021 news of a critical vulnerability in the Apache Log4j software made the headlines. While it has now been more than one year since the initial alert, and despite patches being released, the vulnerability persists.
The Log4j vulnerability
The logging tool Log4j is used by millions of computers worldwide in online services and software applications. Due its potential impact, the issue was described by the National Cyber Security Centre as being one of the most severe computer vulnerabilities in years.
The defect to Log4Shell (officially tracked as CVE-2021-44228), was found to be enabling hackers to remotely execute malicious code on target computers. They were then able to use this to steal data, control systems or install malware.
While a patch was released on December 6 it failed to completely resolve the vulnerability, a further three patches were then released in the run-up to the new year.
Federal agencies were instructed to take immediate action
The US Cybersecurity and Infrastructure Security Agency (CISA) released an Emergency Directive for all federal civilian agencies giving them until December 23, 2021, to update assets with all provided patches.
By December 28, 2021, agencies were also required to report all affected software applications and confirm what action had been taken.
Log4j remains a threat in 2023
The highest concentration of critical findings linked to Log4j were found within the first 48 hours of the vulnerability becoming known. At the time, findings often originated in the core of an application and later findings migrated to the dependences those applications rely on.
In September last year, US, UK, Canada and Australia cybersecurity authorities warned that state sponsored hackers were continuing to exploit VMware Horizon Log4j bugs to extort data and encrypt disks as part of their ransomware attacks.
As the Log4j library is widely used it is likely to still be embedded in large systems and organizations that are not keeping track what is in their software supply chain are most at risk. Data from the Maven Central Repository, widely used repository of Java components, shows that around 29 percent of Log4j downloads are for vulnerable versions.
What actions do organizations need to take?
While more than twelve months may have passed since the Log4j issue was discovered, organizations cannot assume the threat no longer persists in their network.
Organizations need to act and review their environment for vulnerable instances of Log4j, looking further than obvious applications and deeper into the network where instances may have been bundled into other software stacks.
CISA have provided their recommended steps for determining whether your products are vulnerable and how patching should be prioritized.
Practicing good cyber hygiene, including keeping all applications up to date, is essential. As is the transition to a zero-trust approach to security, which assumes the network perimeter has already been breached
Networking devices when correctly configured, play a fundamental role in preventing lateral movement across the network in the event of an attack
This is where Titania’s security and compliance assessment and assurance tools, Nipper and Nipper Enterprise, can help by assuring and automating the assessment of firewalls, switches and routers, with risk prioritized remediation recommendations. The Log4j vulnerability is included in checks run in Nipper’s Vulnerability Audits. Find out more and request a free trial or proof of concept today.