Log4j – it’s considered one of the most significant vulnerabilities that will haunt cybersecurity professionals for years.
On December 9, 2021, the Apache Software Foundation “disclosed a massive vulnerability in Log4j,” its Java logging library. This disclosure, according to reporter Chris Stokel-Walker in Wired, “triggered a cat-and-mouse game as IT professionals raced to secure their systems against cybercriminals looking to exploit a huge, now-known issue.”
Log4j is a near-ubiquitous logging tool in Java environments. It helps developers keep track of what goes on inside their apps. As an event recorder, it monitors simple actions, both routine and errors, and reports them to system administrators or users. “Because it’s open source and reliable, plugging in Log4j instead of building your own logging library from scratch has become standard practice,” Brian Barrett writes in Wired. “Moreover, so much of modern software is cobbled together from various vendors and products that it may be difficult, if not impossible, for many potential victims to even know the full extent of their exposure.” It’s also easy to exploit, Barrett writes: “Just send a malicious piece of code and wait for it to get logged. Once that happens, congratulations; you can now remotely run whatever code you want on the affected server (caveats – that’s the short version, it’s a little more complicated in practice).” This combination of “severity, simplicity, and pervasiveness” has rattled the cybersecurity community.
The Log4j vulnerability likely affects hundreds of millions of devices. It is everywhere, which “makes it difficult to know whether any individual organization is affected.” According to Wired, it was first discovered in Minecraft and “has since been found in cloud applications, enterprise software, and on everyday web servers.” What’s more, Log4j is a small but very “common component in tens of thousands of products—many of which are then bundled up into bigger projects.” This means that many organizations don’t even know that some of their computer systems are relying on it and so could remain vulnerable to hackers for months or years. Log4j is just the tip of the open-source software spear. Like much of open-source software, it’s easy, fast, and convenient. It’s everywhere. And it could be riddled with bugs.
As reported in Wired, as company cybersecurity experts struggled to try to determine their vulnerability and exposure to the Log4j problem – and how to fix the situation – they were being ordered by multiple federal agencies to act more quickly. The US Cybersecurity and Infrastructure Security Agency (CISA) set federal agencies a deadline of Christmas Eve to figure out whether they used Log4j in their systems – and to patch it. CISA director Jen Easterly said that it was the most serious vulnerability she’d seen in her career. Then, on January 4, CISA and the Federal Trade Commission issued a warning to US businesses: “When vulnerabilities are discovered and exploited, it risks a loss or breach of personal information, financial loss, and other irreversible harms,” the FTC wrote. “It is critical that companies and their vendors relying on Log4j act now, in order to reduce the likelihood of harm to consumers, and to avoid FTC legal action.” The federal body said it wouldn’t hesitate to use its full legal authority “to pursue companies that fail to take reasonable steps to protect consumer data from exposure as a result of Log4j, or similar known vulnerabilities in the future.”
This was designed to shift liability to businesses. The idea was that if companies felt threatened with legal action, they would feel compelled to act, Wired reports. But it proved incredibly difficult to determine how and where and whether they were affected. And many companies felt the pressure only made the situation feel more dire – without really offering any useful solutions. Others disagree with this criticism and appreciate that the government is finally taking cybersecurity threats seriously. Joseph Marks writes in The Washington Post, “That’s a major shift from just a few years ago when it would have been effectively impossible for the government to implement such a big fix on such short notice.”
Even with this federal pressure and support, companies are struggling to fix this vulnerability. And small and medium-sized businesses will be disproportionately affected. Some companies don’t even know where to start. For example, one person interviewed in Wired said that their company would have to send out 4,000 emails to owners of applications that they use asking them to determine if they are affected. Many companies have come to rely on open-source software, because it’s free and often really useful. But because open-source software is developed and maintained by a small and often overworked team of volunteers, this dependence has only compounded the exposure to threats like Log4j.
On January 13th the White House convened a meeting with government officials and industry leaders such as Google, Microsoft, IBM and tech foundations. The participants discussed the issues surrounding the mammoth task of rooting out computer bugs that could be littered throughout open-source software that powers much of the Internet. They agreed that there were several things to consider, including building a government-industry partnership to create a catalogue of the most important pieces of open-source software that could spark Log4j-level concerns. If they were vulnerable, they must be checked and rechecked for hackable bugs.
The project, which Google officials outlined in a statement after the meeting, would resemble an effort CISA is undertaking to create a broader list of the most “strategically important critical infrastructure,” which must be protected against hacking.
According to attendees, other priorities included:
As we’ve reported here month after month, there is a global shortage of cybersecurity professionals. Yet cybersecurity threats keep growing. And as you just read, the recent meeting of government and industry leaders stressed the need for ramping up cybersecurity training.
At CYRIN, we’ve been working to meet the cybersecurity challenges of our changing world for years with our advanced online simulated training. Our students love the realistic labs and the step-by-step training that allow them to work remotely and effectively in a cloud-based cyber range. Security professionals appreciate the realistic virtual scenarios that allow them to practice on simulations that are as close as they come to an actual attack.
It’s our mission to help your cybersecurity team prepare for whatever threats are on the horizon. You set-up realistic scenarios on a simulated network where you practice remotely and safely to test your team, your systems, and their response. And you can practice as often as you like, while our Automated Performance Monitoring system measures performance and provides details and metrics that allow you to gauge the effectiveness of the network and the people in charge of protecting your systems.
CYRIN plays out real-life scenarios to help your team, your learners and your company be prepared and protected – for whatever comes next. To see what we can do for your team, contact us for further information and your personalized demonstration of CYRIN.