On Thursday, December 9, 2021, a severe vulnerability was discovered that has a devastating effect on systems across the internet. The severity of this particular vulnerability is rated 10/10, the highest known to memory. This means that hackers can remotely obtain unauthorised full access to the vulnerable system with zero user interaction.
A zero-day vulnerability is a weakness within an IT system or device that has been disclosed but has not yet been patched. Zero-day vulnerabilities are discovered before security researchers are aware of their existence, meaning cybercriminals race to exploit (take advantage of) these zero-day vulnerabilities, which is known as a zero-day exploit. Log4j is classed as a zero-day.
Log4j is a commonly used Java logging library that has been developed by the Apache Foundation. Java is a well-known computer programming language that emerged in the 90s. Similar to all programming languages Java libraries are useful pieces of code written by someone else to help the development community.
Log4j is a library that is used by developers worldwide, because of its ability to keep track of what happens in software applications and cloud services, in which the data tracked is then stored in a log file. In computing, a log file is a file that contains information about activities, events, and operations that take place within a computer system or network, data that is useful to identify patterns. Hundreds of millions of devices, servers, and cloud services use this java package, which is the reason why the vulnerability found within this software is so critical.
To put it plainly, this vulnerability is critical. The number of users for Log4j plus the potential impact of the security flaw makes this not only extremely high risk but also extremely dangerous, giving it a vulnerability score (CVSS) of 10/10.
Everyone, including organisations and individuals, is at risk. Individuals can be affected indirectly because cybercriminals can use the security flaw to install malware (malicious code) and backdoors onto servers and other computer systems, meaning that when these types of services are impacted maliciously, many millions of users will also become affected.
Businesses should also be aware of the potential consequences if their IT systems were to be exploited because of the zero-day vulnerability: cost of incident response, harmful impact to their reputation and brand image, and other financial losses.
Applications that are written in Java or applications that use the log4j library are most likely to be affected, for example, Maven and Gradle, which are used in software development. Many enterprise applications, such as supply chain management systems, customer relationship management systems, and resource planning systems are written in Java, and therefore will be affected by this vulnerability.
The log4j vulnerability was exploited in the popular ,video game Minecraft, which has over 100 million active users worldwide. The vulnerability also affects major cloud services like Apple’s iCloud, Steam, AWS (amazon web services), Arista Networks and Red Hat.
IBM, a global technology, and innovation company are also vulnerable because Log4j is used by the WebSphere Application server. VMwServerortinet, and CISCO are also vulnerable to CVE-2021-44228. Any device is affected if it is running log4j, version 2.0 to 2.14.1.
VMware
VMware is a virtualization and cloud computing software provider. If you own servers , you most likely use VMware. ,VMware has published a list of affected systems and a workaround.
Sophos Firewall
Sophos has acted quickly in patching up all affected systems. There is only one in the list that is not treated yet. ,Check out the list here.
Amazon Web Services (AWS)
AWS has published an ,update with a list of the products that are affected and if the threat is mitigated.
MongoDB Database
MongoDB is a database program that is used in various applications and particular web applications (websites). MongoDB has published a ,list of affected systems and released patches.
This is not a complete list and merely examples of some popular applications that are affected by Log4j. Java-based apps like WebEx, Minecraft, JetBrains IDEs Citrix, Filezilla FTP are all vulnerable. If you are unsure whether your infrastructure is affected by the vulnerability, NCSC has published a ,guide that will help IT personnel to detect any unknown existence of Log4j in your systems.
Supply chain
Even though your organisations may be safe from this newly found threat, your supply chain might be at risk. We recommend that you seek evidence-based reassurance from your supply chain.
By following these steps, users and organisations will have the best possible chance of protecting themselves from this zero-day vulnerability. The NWCRC can provide further ,security awareness training to organisations and individuals, which you can access by contacting us today.
Any organisation or individual can be affected by this recent zero-day vulnerability, so you must remain alert. Follow professional advice, keep your devices regularly updated, and watch out for vulnerability patches that will be released in the coming weeks. You can also contact the NWCRC to scan your network (either remotely or by an internal assessment). Our ,vulnerability assessments can test your IT system configuration using the same techniques used by hackers to ensure your company is not wide open to cyber an attack.
If you are unsure about how to approach this vulnerability or do not have an IT provider you can contact, email us at info@nwcrc.co.uk.
Click to Open Code Editor