On Thursday, December 9, 2021, a severe vulnerability was discovered that has a devastating effect on systems across the internet. The severity of this particular vulnerability is rated 10/10, the highest known to memory. This means that hackers can remotely obtain unauthorised full access to the vulnerable system with zero user interaction.

A zero-day vulnerability is a weakness within an IT system or device that has been disclosed but has not yet been patched. Zero-day vulnerabilities are discovered before security researchers are aware of their existence, meaning cybercriminals race to exploit (take advantage of) these zero-day vulnerabilities, which is known as a zero-day exploit. Log4j is classed as a zero-day.

What is Log4j?

Log4j is a commonly used Java logging library that has been developed by the Apache Foundation. Java is a well-known computer programming language that emerged in the 90s. Similar to all programming languages Java libraries are useful pieces of code written by someone else to help the development community.

Log4j is a library that is used by developers worldwide, because of its ability to keep track of what happens in software applications and cloud services, in which the data tracked is then stored in a log file. In computing, a log file is a file that contains information about activities, events, and operations that take place within a computer system or network, data that is useful to identify patterns. Hundreds of millions of devices, servers, and cloud services use this java package, which is the reason why the vulnerability found within this software is so critical.

How serious is the Log4j Vulnerability?

To put it plainly, this vulnerability is critical. The number of users for Log4j plus the potential impact of the security flaw makes this not only extremely high risk but also extremely dangerous, giving it a vulnerability score (CVSS) of 10/10.

Who is affected by Log4j?

Everyone, including organisations and individuals, is at risk. Individuals can be affected indirectly because cybercriminals can use the security flaw to install malware (malicious code) and backdoors onto servers and other computer systems, meaning that when these types of services are impacted maliciously, many millions of users will also become affected.

Businesses should also be aware of the potential consequences if their IT systems were to be exploited because of the zero-day vulnerability: cost of incident response, harmful impact to their reputation and brand image, and other financial losses.

What is affected by the Log4j Vulnerability?

Applications that are written in Java or applications that use the log4j library are most likely to be affected, for example, Maven and Gradle, which are used in software development. Many enterprise applications, such as supply chain management systems, customer relationship management systems, and resource planning systems are written in Java, and therefore will be affected by this vulnerability.

The log4j vulnerability was exploited in the popular ,video game Minecraft, which has over 100 million active users worldwide. The vulnerability also affects major cloud services like Apple’s iCloud, Steam, AWS (amazon web services), Arista Networks and Red Hat.

IBM, a global technology, and innovation company are also vulnerable because Log4j is used by the WebSphere Application server. VMwServerortinet, and CISCO are also vulnerable to CVE-2021-44228. Any device is affected if it is running log4j, version 2.0 to 2.14.1.

Some of the applications that have been affected by Log4j

VMware

VMware is a virtualization and cloud computing software provider. If you own servers , you most likely use VMware. ,VMware has published a list of affected systems and a workaround.

Sophos Firewall

Sophos has acted quickly in patching up all affected systems. There is only one in the list that is not treated yet. ,Check out the list here.

Amazon Web Services (AWS)

AWS has published an ,update with a list of the products that are affected and if the threat is mitigated.

MongoDB Database

MongoDB is a database program that is used in various applications and particular web applications (websites). MongoDB has published a ,list of affected systems and released patches.

This is not a complete list and merely examples of some popular applications that are affected by Log4j. Java-based apps like WebEx, Minecraft, JetBrains IDEs Citrix, Filezilla FTP are all vulnerable. If you are unsure whether your infrastructure is affected by the vulnerability, NCSC has published a ,guide that will help IT personnel to detect any unknown existence of Log4j in your systems.

Supply chain

Even though your organisations may be safe from this newly found threat, your supply chain might be at risk. We recommend that you seek evidence-based reassurance from your supply chain.

What can organisations do to put protective measures in place?

• Review your system for the use of Log4j
• Upgrade the Log4j software to 2.16.0
• Check the list of vulnerable software
• Ensure that all your system software is updated
• Contact software vendors
• Set Web Application Firewall rules
• Check for scanning activity
• Review supply chain systems
• Keep updated by following advice from the ,NCSC

How can individuals protect themselves from Log4j?

• Do not ignore software updates
• Keep all your devices (phones, tablets, laptops) regularly updated
• Increase awareness of this vulnerability in your organisation
• Ensure you have anti-virus software; attackers may use the log4j vulnerability to spread malware onto systems and devices

By following these steps, users and organisations will have the best possible chance of protecting themselves from this zero-day vulnerability. The NWCRC can provide further ,security awareness training to organisations and individuals, which you can access by contacting us today.

Any organisation or individual can be affected by this recent zero-day vulnerability, so you must remain alert. Follow professional advice, keep your devices regularly updated, and watch out for vulnerability patches that will be released in the coming weeks. You can also contact the NWCRC to scan your network (either remotely or by an internal assessment). Our ,vulnerability assessments can test your IT system configuration using the same techniques used by hackers to ensure your company is not wide open to cyber an attack.

If you are unsure about how to approach this vulnerability or do not have an IT provider you can contact, email us at info@nwcrc.co.uk.