What is the Apache Log4j Vulnerability And Security Flaw?
What’s common with NASA, nearly half of corporate networks, Cisco Webex, and Minecraft? The Apache Log4j vulnerability – they’ve all been affected by the security flaw that’s taken the world by storm. In this blog, we examine the implications of the Log4j vulnerability for the organization and ways to secure yourself. If you’re a CloudAlly Backup customer, a sigh of relief – CloudAlly does not use Apache’s Log4j library.
As described by Apache, “Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j versions up to 1.2 up to 1.2.17.”
In Plainspeak?
Log4j is a widely used, open-source logging framework used by developers to track their applications. The vulnerability is easy to exploit. Simply send it a few lines of malicious code and wait for it to get logged. Post that the server is vulnerable and you can remotely run any code you wish to on the affected server.
How Does it Impact Me?
It probably does. The danger of the Apache log4j vulnerability lies in its ubiquitousness – it is used by most developers as it’s open source, reliable, plug-and-play, and saves a lot of effort in building your own logging library from scratch, vulnerability – as detailed above it is easy to exploit, and severity – exploiting it gives you the keys to the kingdom! Once the hacker is in your company’s computer server, it gives them entry into your network. In the complex labyrinth of the modern tech stack, chances are that log4j was used by some developer at some point in some app, especially if Java has been used.
Log4j is living up to the hype around it, but the full impact is just emerging. The more sophisticated actors will take their time to do a recce of your network before weaponizing the vulnerability. Here’s a sampling of what security experts are saying.
“As soon as I saw how you could exploit it, it was horrifying,” says Membrey. “Like one of those disaster movies where there’s a nuclear power plant, they find it’s going to melt down, but they can’t stop it. You know what’s coming, but there are very limited things you can do.”
– Peter Membrey, chief architect of ExpressVPN
“It is by far the single biggest, most critical vulnerability ever.”
– Amit Yoran, Tenable
“Honestly, the biggest threat here is that people have already gotten access and are just sitting on it, and even if you remediate the problem somebody’s already in the network. It’s going to be around, as long as the internet.”
– Sean Gallagher, Senior Threat Researcher, Sophos
How Can I Mitigate the Risk of the Apache Log4j Vulnerability and Security Flaw?
The National Cybersecurity & Infrastructure Security Agency cautions that log4j vulnerability mitigations should be applied “immediately” – upgrade to Log4j 2.15.0 or apply the source code patch. The CISA’s director, Jen Easterly, has advised the following:
1. Enumerate any external-facing devices that have log4j installed.
2. Make sure that your security operations center is actioning every single alert on the devices that fall into the category above.
3. Install a web application firewall (WAF) with rules that automatically update so that your SOC is able to concentrate on fewer alerts.
The CISA has a resources page with details about the log4j vulnerability and mitigating the risks. So far, the log4j hackers have largely been the cryptominers, but this is just the beginning of the log4j vulnerability being exploited. Security firm Check Point has seen over 1.8 million attempts to exploit the vulnerability – often up to 100times/minute. And it is reported that nation-state spies are exploiting the vulnerability. The perfect storm is just getting started.
How Does the Apache Log4j Vulnerability Impact CloudAlly?
Relax, it does not! The Apache log4j vulnerability does not impact CloudAlly as we do not use Apache’s Log4j library. In addition, our security team has checked all 3rd party libraries used and currently has not found any vulnerabilities. We can reassure our customers that no harm has been caused by the Log4j vulnerability – your backups are safe as always! CloudAlly continues to be fanatical about its security – read more about our stringent secure credentials here.
