Criminals have used the vulnerability to launch attacks against companies and governments
WASHINGTON — In the months since the Apache Software Foundation announced a major security vulnerability in its Log4j 2 software library, cybersecurity experts have said they’ve seen attacks targeted across a number of industries, from a shutdown within the Belgian defense ministry to attempted installations of cryptocurrency miners.
Log4j has dominated headlines within the cybersecurity world, with the Director of the Cybersecurity and Infrastructure Security Agency Jen Easterly calling it “the most serious vulnerability I have seen in my decades-long career.”
As the Log4j’s consequences continue to unfold, three cybersecurity experts weigh in on what you need to know.
What is Log4j?
Log4j is an open-source logging tool developed by the Apache Software Foundation. Open-source software is distributed along with its source code, meaning its design is publicly accessible, and software developers can modify or adapt the code as they’d like.
“If I’m a developer and I’m writing some web application, and I need a software that will log user input — whether it’s for usability reasons or to log errors — the easiest way to do that is to grab an open source library like Log4j that already exists out there,” said Brian Donohue, a senior information security specialist at digital security company Red Canary.
An employee on Chinese e-commerce company Alibaba’s security team first reported a vulnerability within the Log4j library to Apache on Nov.21. When Apache publicly announced the flaw, now referred to as Log4Shell, they gave it a rating of 10.0 (the highest possible score) on the Common Vulnerability Scoring System scale, a standard way to rate a security flaw’s severity.
Why was Log4Shell so severe?
Sadik Al-Abdulla, chief product officer at application security company Onapsis, said the 10.0 rating was the result of two key aspects of Log4Shell: It is a remotely exploitable flaw, and it allows for code execution.
“That means that an attacker can attack you remotely — they don’t have to already have a presence on the system,” Al-Abdulla said. “If they can communicate with a vulnerable system, they can attack it. The ‘remote code execution’ part means they can cause code to execute, which means when they can take the system over, they can do whatever they want to do,” he added.
Because of this, Al-Abdulla said, Onapsis’s threat labs have seen attackers attempt to use Log4Shell for a wide range of tasks, including installing cryptocurrency miners and stealing the keys to a company’s entire web infrastructure.
Donohue said three other factors contributed to Log4Shell’s devastating impacts. First, because open-source utilities are extremely common within the digital world, libraries like Log4j can be found in almost every piece of software, from large-scale web infrastructures to ATM machines and gas pumps.
Second, Log4Shell doesn’t require attackers to have a lot of technical skill. Last, Log4j is a dependency, meaning it’s a component of a broader software, as opposed to a stand-alone application.
“You might be using some web application framework that’s made by a vendor, and that vendor may be using Log4j. So you don’t necessarily always know everywhere it is,” Donohue said.
What can companies and individuals do?
The Cybersecurity and Infrastructure Security Agency has released an open-source scanner that companies can use to identify Log4j instances within their software libraries as well as formal guidance on approaching the vulnerability.
Al-Abdulla said organizations still need to be proactive in fully testing their security response processes.
“There was a very big difference between the vendors that had fully tested fixes out the door within a week of the bulletin and vendors that still haven’t released them,” he said.
Colin Murphy, chief information officer of cybersecurity company KnowBe4, said there’s not much that can be done to mitigate Log4j’s impacts on an individual level. Above all, he said, Log4Shell is a cautionary tale of security awareness.
“I don’t think there’s a technical solution that individuals can really take on, but they can certainly think about how interconnected their lives are. If you’re in a smart home, you have all of these different devices around your house that are interconnected. All of those things are points of entry at this point with a vulnerability like this,” Murphy said.
How will Log4Shell affect the digital security world going forward?
Apache released an update to Log4j quickly after discovering the flaw. But Murphy, Al-Abdulla and Donohue agree that Log4j’s vulnerability is going to have “a long tail.”
Because Log4j is a dependency, it can be much more complex to identify, remediate and test all of the places where it was used, Al-Abdulla said.
To him, major vulnerabilities like Log4Shell will serve as a wake-up call for companies that haven’t been forward-thinking about cybersecurity; CIBR, -0.44%.
“Every time we have incidents like this, it does force a greater level of maturity into the survivors. Every company that may not be thinking about a secure development lifecycle is probably forcing themselves to reevaluate if they had a lot of thrash even trying to find Log4j in their own products,” Al-Abdulla said.