Log4j – Experts speak of«Internet apocalypse»
Four responses to the Log4j vulnerability
A vulnerability in Java software has been keeping IT security personnel awake since the weekend. Millions of applications are affected. The critical gap in the Java library Log4j is currently dominating the headlines. The IT world is declaring a “red alert” – because apparently the log4j code can perform JNDI variable expansion. That’s why, on December 9, 2021, the Apache Software Foundation published a security advisory fixing a remote code execution vulnerability (CVE-2021-44228) affecting the Java-based logging utility Log4j. MITRE rated the vulnerability as highly critical and gave it a CVSS score of 10/10. Shortly thereafter, attackers in the wild began exploiting the Log4j vulnerability, prompting government cybersecurity institutions around the world, including the United States Cybersecurity and Infrastructure Security Agency and the Swiss Government Computer Emergency Response Team, to issue alerts urging companies to patch their systems immediately.
But what is JNDI?
Jindi al Dap is the name of an ancient Arab philosopher and mathematics pioneer who worked for Sun/Oracle to develop a system of directory lookups in Java. This system somehow reloads code from the Internet.
How widespread is the Log4j vulnerability, and which systems are affected?
The Log4j vulnerability is extremely widespread and can affect enterprise applications, embedded systems, and their subcomponents. Java-based applications such as Cisco Webex, Minecraft, and FileZilla FTP are all examples of affected programs, but this list is by no means complete or exhaustive. The vulnerability even affects the Mars 2020 mission, which uses Apache Log4j for event logging.
The security community has created resources that catalog vulnerable systems. However, it’s important to note that these lists are constantly changing. So, if a particular application or system is not included in them, you should by no means take this as a guarantee that it is not affected. The likelihood of this vulnerability being exploited is high, and even if a particular technical stack does not use Java, security managers should assume that key vendor systems – SaaS providers, cloud hosting providers, and web server providers – do.
Assuming the vulnerability is exploited, what threat does this pose to enterprise applications and systems?
If the vulnerability is not fixed, attackers could use it to take over servers, applications, and devices and to penetrate corporate networks. There are already reports of malware, ransomware, and other automated threats actively exploiting this vulnerability.
The attack threshold for this vulnerability is very low. All an attacker needs to do is enter a simple string into a chat window. The vulnerability is exploited before authentication, which means an attacker does not need to log into a vulnerable system to overcome the vulnerability and trick the system. In other words, expect to be vulnerable to attack.
What steps should cybersecurity leaders take to protect the enterprise?
Cybersecurity leaders must make identifying and remediating this vulnerability an absolute and immediate priority. Start with a detailed audit of all applications, websites and systems in your area of responsibility that are connected to the Internet or can be considered publicly accessible. This includes self-hosted installations of vendor products and cloud-based services. Pay particular attention to systems that contain sensitive operational data, for example, customer data and access credentials.
Once this audit is complete, turn your attention to external employees and ensure they update their personal devices and routers, which are an important link in the security chain. This will likely require a proactive, dedicated approach, as simply issuing a list of instructions is not enough, as vulnerable routers are a potential gateway to critical enterprise applications and data assets. They will need the support and collaboration of their entire IT team.
Overall, it is time to take formal action to respond to serious incidents in accordance with organizational incident response plans. This incident requires the involvement of all levels of the organization, including the CEO, CIO, and the entire executive team. Make sure you have informed senior leadership and that they are prepared to respond publicly to questions. It is unlikely that this vulnerability and the attack patterns that exploit it will subside for some time, so active vigilance will be important for at least the next twelve months.