December 15, 2021

What is Apache Log4j2 (Log4Shell) ?

Video Interview with Jason Yuan, VP - Product & Marketing, on all you need to know about Apache Log4j2 (Log4Shell) Vulnerability and how you mitigate it.

Interview of Jason Yuan, VP – Product & Marketing, Forenova

 

 

Most of the documents and material available online on this vulnerability are very technical and difficult to understand. So we invited a subject matter expert to explain this to us in a simpler and easier language to understand.

See how NovaCommand can detect unknown threats and help you take swift action

Learn more

 

So, what’s the big deal about this Log4j2 (Log4Shell) Vulnerability?

  • This is the biggest security event of the decade.
  • Some say it’s the biggest security vulnerability since the Internet was invented. It impacts both business and consumers.
  • In the United States, the director of the Cybersecurity and Infrastructure Security Agency (CISA), Jen Easterly, termed the exploit "critical" and advised vendors to prioritize software updates.
  • The German agency Federal Office for Information Security (BSI) designated the exploit as being at its highest threat level, calling it an "extremely critical threat situation" (translated)

Who might have these Apache Log4j2 (Log4Shell) Vulnerabilities?

  • First of all, a bit technical background: Log4j2 is used by a very large percentage of the Java programs developed in the last decade for both server and client applications. Java is also one of the top programming languages used by businesses.
  • Second: to answer your question, this impacts software used by enterprises and governments globally. Essentially, all industries. All geography. Forenova’s global threat intelligence has the capability to scan around the internet to identify weak systems. Last week, shortly after we learned about this vulnerability, we identified 3000 infected servers within 1 hour. Many more in the next few days. Interestingly enough, education tops the list. My guess is that they don’t have enough IT budget to buy software; nor do they have enough security budget to secure them. However, pretty much all industries suffer.
  • Third: many consumer software is impacted, here is what’s been detected in the past few days: Bluetooth headphone. If you play games, Minecraft allows other games users to turn your machine into a crypto miner. On the internet, someone managed to demonstrate this vulnerability on iCloud. Such weakness has been found on the most popular e-commerce websites. On an even more dangerous side: a successful POC has been performed on a top branded automotive entertainment system.

 

What’s the potential impact of Log4j2?

  • This is a zero-day arbitrary code execution. It’s characterized as the “single biggest, most critical vulnerability of the last decade”. 
  • This allows remote code execution without credentials. Meaning, someone can take over your system, which means they can run any code and access all data on the affected machine. It also allows them to delete or encrypt files and hold them for ransom.
  • However, it’s not a very difficult attack. And it does not require sophisticated software programming experience.
  • All an attacker has to do to exploit the flaw is strategically send a malicious code string that eventually gets logged by Log4j version 2.0 or higher. The exploit lets an attacker load arbitrary Java code on a server, allowing them to take control.

How about customers with their own software?

Any customers with some open-source software might be subject to such an attack as well.

 

Apache Software Foundation assigned the maximum CVSS severity rating of 10 to Log4Shell, as millions of servers could be potentially vulnerable to the exploit.

 

The security of the supply chain is demonstrated to be very important.

 

How did we get here?

  • Security responders within software companies are scrambling to patch the bug, which can be easily exploited to take control of vulnerable systems remotely.
  • At the same time, hackers are actively scanning the internet for affected systems. Some have already developed tools that automatically attempt to exploit the bug, as well as worms that can spread independently from one vulnerable system to another under the right conditions.
  • We forecast many new ransomware to leverage this vulnerability in the coming weeks.

 

What SHOULD customers do? 

  • Self-assess your own exposure ASAP. Some can be done in hours, others may take weeks. You will need to check your software and hardware provider.
  • In the case you need a quicker assessment, I would like to suggest that you work with vendors like ourselves to help you with an automated assessment. Here are some examples,
  • From your network traffic, our Network Traffic Analysis can detect any software within your network that uses the vulnerable Log4j2 versions
  • From a server point of view, we have software tools to help you to get a list of assets that contains all software used, and can further identify the vulnerable systems.

 

I found it, what should I do next?

  • Patch if you can.
  • However, many software can not be patched. As they might be running legacy software, as an older version of Java.
  • Change configuration. There are three alternatives. We can provide the details.
  • Virtual patch by FW or IPS if needed. Contact us for details.
  • Deploy an NDR like ours to help you to improve asset discovery, detection and response.

 

How would customers know if they are compromised?

  • Log review
  • Most traditional tools are used for prevention. FW, AV. What you need to improve are a much stronger detection and response capability.
  • Use tools such as our NDR to improve your Detection capabilities.
  • Should you uncover any security incidents, you can contact us directly so we can help you with the incident response.

See how NovaCommand can detect unknown threats and help you take swift action

Learn more