Skip to content

Illustration by Security Management

Software Vendors Scramble to Address Log4j Vulnerability

Apache Log4j is everywhere. You might not have heard of it, but hackers definitely have. They are making more than 100 attempts every minute to exploit a critical security vulnerability in the Java logging library.

A zero-day vulnerability now known as Log4Shell was discovered on 9 December with warnings that it could allow unauthenticated remote code execution and access to servers, ZDNet reported. Because so many enterprise and open-source software products use Log4j—including cloud platforms, Web applications, and email services—this vulnerability puts many critical online functions at risk.

So what is Log4j? It’s a widely used, open-source logging framework that developers use to keep a record of activity within an application, WIRED reported. Many mainstream services use the system, and they are hustling to patch systems and mitigate risk of compromise.

Meanwhile, malicious actors are scanning the Internet for affected systems and have developed tools to exploit and spread the bug.

According to comments sent to Security Management from Dr. Richard Ford, chief technology officer at cybersecurity solutions company Praetorian, Apache Log4j “is widely used and, because exploiting the vulnerability often does not require authentication or special access, it has exposed an incredible array of systems—there are even unconfirmed reports that simply changing your phone’s name to a particular string can exploit some online systems.”

Cybersecurity professionals—including ones at Praetorian, Ford said—spent the weekend scrambling to determine which programs were affected and what could be done to shore them up against attack. The vulnerability was rated at “critical” severity, and Apache published patches and mitigations on 11 December.

“All vulnerabilities are typically scored by how dangerous they are: this vulnerability has practically the highest score possible, and it seems likely that even some professionals are unaware of its potential impact,” Ford added. “The situation is rapidly evolving, and we are learning a great deal about the scope and impact of this vulnerability as we quickly work with customers to help mitigate the risk in the short term while they work on a long-term solution, which will require patching all instances of the vulnerable code—a process which could take months.”

Jen Easterly, director of the U.S. Cybersecurity and Infrastructure Security Agency (CISA, part of the Department of Homeland Security), released a statement on 11 December about the vulnerability, saying that "CISA is working closely with our public and private sector partners to proactively address a critical vulnerability affecting products containing the log4j software library. This vulnerability, which is being widely exploited by a growing set of threat actors, presents an urgent challenge to network defenders given its broad use. End users will be reliant on their vendors, and the vendor community must immediately identify, mitigate, and patch the wide array of products using this software. Vendors should also be communicating with their customers to ensure end users know that their product contains this vulnerability and should prioritize software updates.”

The vulnerability has been added to the CISA catalog of known exploited vulnerabilities, compelling federal agencies to urgently patch their systems.

CISA gave multiple recommended courses of action, including upgrading to Log4j version 2.15.0, applying vendor recommended mitigations, enumerate any external-facing devices with Log4j installed, ensure the security operations center is taking action on every alert on the devices in this category, and install a Web application firewall with rules that automatically update so the security operations center can focus on fewer alerts.