On December 9, 2021, reports surfaced about a new zero-day vulnerability in popular Java logging framework, Log4j, termed Log4Shell. It was first identified as impacting servers used to host the popular game Minecraft, but its potential impact reaches far beyond that. Here’s what you need to know about Log4j, the Log4Shell exploit, and considerations for similar zero-day exploits.
A January 4, 2022 bulletin by the FTC warns organizations of legal action if they do not fix
the Log4j vulnerability. “The duty to take reasonable steps to mitigate known software vulnerabilities implicates laws including, among others, the Federal Trade Commission Act and the Gramm Leach Bliley Act. It is critical that companies and their vendors relying on Log4j act now, in order to reduce the likelihood of harm to consumers, an to avoid FTC Legal action.” (link to bulletin)
What is Log4j?
Log4j is a Java-based logging utility written by Apache Software Foundation. The initial release was 21 years ago in 2001 and it has been updated numerous times over the years. As the name suggests, Log4j is used by developers to keep track of what happens in their software applications or online services within application logs. Because Log4j is a universal code module for application logging in Apache, the most widely used web server software, Log4j is literally found in millions of servers across the world.
Log4Shell (CVE-2021-44228) was a zero-day vulnerability identified in Log4j. Despite being used by millions of companies, the vulnerability existed unnoticed since 2013 until it was discovered and privately disclosed to Apache on November 24, 2021 by a member of Alibaba Cloud’s security team. The flaw was publicly disclosed on December 9, 2021. Apache gave Log4Shell a CVSS severity rating of 10, the highest available score.
The vulnerability takes advantage of Log4j’s ability to allow requests to arbitrary servers, permitting attackers to execute arbitrary Java code on a server or other computer, or to leak sensitive information. Affected commercial services include Amazon Web Services, Cloudflare, iCloud, Minecraft: Java Edition, Steam, and Tencent QQ.
According to the security company Wiz, the vulnerability affected 93% of enterprise cloud environments and in the first five days alone, hackers launched more than 1.2 million attacks on companies globally. It has been described as the ‘most serious’ security breach ever by The Washington Post and “by far the single biggest, most critical vulnerability ever” by Venable.
Fortunately, the fix to the originally identified vulnerability was fairly simple and Apache released a new version of Log4j (2.15.0) even before publicly disclosing the flaw, which many companies were able to apply before attackers could exploit the vulnerability in their environments. However, not all companies acted swiftly enough to update to the new version before they were attacked, so companies such as ONUS experienced attacks because of the Log4j vulnerability, even though they applied the patch within four days of the vulnerability being publicized. Apache ultimately released three additional versions in December (2.16.0, 2.17.0 and 2.17.1) to address other identified security vulnerabilities in Log4j, so the battle continues between hackers and organizations.
Addressing Zero-Day Vulnerabilities Like Log4j
When zero-day vulnerabilities are identified, the race is on for software developers to address the vulnerability and issue a software patch before that vulnerability becomes known to cyber attackers. Even if the software developers issue the software patch first, they can only do everything they can to notify their customers. The application of the software patch, in many cases, must be performed by the customer itself. Prompt application of software patches to address Log4j vulnerabilities saved many – but not all – companies from cyber-attacks resulting from the vulnerability. The National Vulnerability Database (NVD) hosted by NIST includes databases of security checklist references, security-related software flaws, misconfigurations, product names, and impact metrics, including Common Vulnerability Scoring System (CVSS) score to indicate the severity of the vulnerability.
It’s important to apply security patches as soon as possible to exercise your duty of care in minimizing risk. Hackers don’t give you a grace period! Organizations should also be prepared for incidents like zero days and their IR plan and tabletop exercises should include this type of scenario. Creating a Zero day run book and running through a drill will ensure that the team is prepared.
Strong Patch Management Program
- Inventory systems
- Prioritize systems
- Identify sources for patch and vulnerability information
- Monitor for patch releases
- Assignments to personnel
- Review, Test, Approve, Deploy, Validate
- Document changes
- Incident Response Plan (IRP)
- Tabletop exercises
- Technology review for monitoring, alerting, and logging effectively SIEM, EDR, MDR, IPS, Log aggregation, Threat monitoring
- Segregation of backups
- Up to date DR/BCP (Data Recovery/Business Continuation) plan
Commonality of attack
HALOCK Breach Bulletins
Recent data breaches to understand common threats and attacks that may impact you – featuring description, indicators of compromise (IoC), containment, and prevention.