What is Log4Shell, and Should Your Organization Care?

What is Log4Shell, and Should Your Organization Care?

November 24, 2021. The security team at Alibaba Cloud discovers a critical vulnerability in the popular Java logging service Apache Log4j. They report it to Apache, which gets it pulled from Github. From there, the true extent of the vulnerability begins to take shape.

Tracked as CVE-2021-44228 and CVE-2021-45046, also known as Log4Shell, the Log4j vulnerability has sent the world’s cyber security experts into a panic. But what is it, and should companies residing in the European Union care?

Let’s take a look.

WHAT IS THE LOG4SHELL THREAT?

If your company currently operates Java-based applications using versions 2.0 through 2.15.0 of the Apache Foundation’s Log4j logging library (which replaces the built-in log4j package), then this threat is highly relevant to your business.

What Log4Shell inadvertently enables is, essentially, the possibility of a remote takeover of your system. Attackers exploiting this issue are able to remotely execute a specially crafted code to gain access to their target’s system. They don’t need login access, and it’s not even particularly difficult.

This is also not solely a Windows problem

It’s common for non-Windows users to believe they are safe from typical cyber threats, but that’s not the case with Log4Shell. This is a vulnerability in a Java library, which is a cross-platform tool. Attackers can target users on any operating system that can run Java.

SHOULD EUROPEAN ORGANIZATIONS CARE?

Absolutely.

This is a wide-reaching problem. The Apache Foundation’s logging package is in use by thousands of companies all over the world, and the vulnerability itself can be quite difficult to patch (depending on the environment). The European Union Agency for Cybersecurity (ENISA) is recommending that all EU organizations, especially those who fall under the Network and Information Security (NIS) Directive, assess their systems and take precautionary measures.

Even if you don’t develop Java-based apps, it would be wise to perform an assessment

The thing is, your partners and vendors may be vulnerable to the exploit. The global supply chain these days is digital, and even if an affected company is on the other side of the world to yours, if their system and your system have any kind of connection, you’re only as safe as they are.

HAVE YOU BEEN AFFECTED BY THE LOG4J THREAT? HERE’S WHAT YOU NEED TO DO

If you’re worried that your system could be compromised by this threat, there are a few steps you need to take immediately in order to reduce the likelihood of a breach.

  1. As of December 2021 – upgrade to Log4j version 2.17.0. Earlier patches (v2.15.0) have proven insufficient, leaving users vulnerable to further exploitation in certain configurations.
  2. If you’re running Java 7, upgrade to Log4j 2.12.2.
  3. Read through Cisco Talos’ mitigation measures for more technical information, additional configurations that could reveal vulnerabilities, and to find guidance for developers.
  4. Additionally, you must also audit your third-party vendors to determine if they too may have been exposed. Ask yourself:
  5. Who are the vendors we are working with?
  6. Do I work with third parties who are running Java-based applications?
  7. Do my vendors’ partners use any Java-based applications?
  8. Organise one-hour meetings with your cyber security team and key organizational stakeholders to discuss security posture and to review pain points and vulnerabilities.

HOW TO PROTECT YOURSELF AGAINST FUTURE VULNERABILITIES

This is a tricky type of vulnerability to defend against, as you won’t necessarily know when another like it will appear – or where it will appear from. That said, there are a number of measures you can take over the coming months that will better place your organization to rapidly respond to future exploits and attacks. This will require some additional reading.

  1. Learn more about how to mitigate the risk from third-party vendors.
  2. Learn how to respond to a cyber breach.
  3. Find a checklist that will help you audit the security maturity of your business.

If your business has not already gone through a basic security architecture transformation, or the above checklist has revealed significant security risks, we recommend reading the following:

  1. Learn the basics of security architecture.
  2. Learn more about implementing security architecture.
  3. Learn how to turn business drivers into business attributes.

Need personalized help with a professional you can actually talk to? Contact us today to discuss your unique needs and what steps your organization must take to improve its security defensibility.

Share :