The Log4j vulnerability has been in the news since its discovery in November 2021. At MainNerve, the most common question asked is, “Does MainNerve test for the Log4j vulnerability?” The answer is yes, but what is this vulnerability, and why does it matter so much?
The History of Log4j
Log4j is an open-source Java logging library originally created by Ceki Gülcü and donated to Apache Software Foundation. It has been widely used in many Java projects, including Eclipse and Apache Tomcat.
The current version of Log4j (Log4j 2) was created due to problems with Log4j 1.2, 1.3, java.util.logging, and Logback.
The Log4j 2 Vulnerability
The zero-day Log4j 2 vulnerability, Log4Shell (CVE-2021-44228), was first discovered and reported by Alibaba on November 24, 2021. Alibaba later published a tweet about it on December 9, 2021.
Since then, it has been one of the most talked-about vulnerabilities. This is primarily due to the remote code execution which affected services such as Cloudflare, Steam, Twitter, iCloud, Tencent QQ, and Minecraft: Java Edition. Consequently, the Apache Software Foundation assigned the maximum CVSS severity rating of 10 to this vulnerability. The Cybersecurity and Infrastructure Security Agency (CISA) called the exploit “critical” and suggested vendors prioritize software updates.
This vulnerability not only allows unethical hackers to run code and access data on the affected devices, but it also allows them to delete or encrypt files. This opens the way for ransom demands.
Smaller than Expected Number of Log4j Attacks
Companies like Sophos track when vulnerabilities are exploited. There were fewer attacks experienced than initially expected, but that may be due to people in the cybersecurity community combining efforts to mitigate the vulnerability.
This is a good sign that we, as a community, are becoming more and more security conscious.
What Does the Future of Log4j Vulnerabilities Hold?
While the initial response to the Log4j vulnerability has been great, the future may not look so bright.
Like most exploitable vulnerabilities, Log4j could potentially stay around for some time. Once a vulnerability has been exploited, the process will always be readily available for anyone to view and potentially gain a foothold into the network. While a fix has been available for weeks, it is possible that some may either not know of this vulnerability or may be neglectful in updating to the newest version. All an unethical hacker has to do is detect an older version of the software and attempt an exploit.
How Do We Know if We Have the Log4j Vulnerability?
Most vulnerability scanners have updated their databases to detect Log4J. Since Log4Shell is a known vulnerability, MainNerve can run a scan to verify if the Log4Shell (or other known vulnerabilities) are present within your network. At MainNerve, every vulnerability scan we run is updated to the latest version to ensure all data is current in your report. We can easily run a scan and create a detailed-oriented report in a timely manner. If this vulnerability is detected in one of your devices, to remediate, simply update the device and you will be patched against Log4j.
MainNerve has provided such services (and more) for over 20 years. Allow us to help you.