On December 9th, 2021, information was published regarding a new vulnerability within the Java Log4j application library. This vulnerability has been assigned a CVSS score of 10.0 – the highest score possible. Given the potential impact and how easily this vulnerability can be exploited, it’s considered critical. If vulnerable, an unauthenticated attacker could remotely execute code on the exposed system – potentially leading to a complete system compromise.
Why is Log4j a Critical Vulnerability?
There are a few factors that make this vulnerability even more impactful. The biggest factor is that this Log4j utility is used widely within applications but is typically buried within these systems. Due to this, software and hardware vendors have spent the last several days attempting to determine if their systems are exposed to this vulnerability.
In some cases, a single function within an application uses this library. Due to log4j’s design and intended usage, it cannot easily be disabled to prevent the vulnerability from being exploited. Because of this, patching and mitigation efforts are imperative.
ADNET’s Approach to Log4j
Since the vulnerability was disclosed, ADNET’s security team has been monitoring the information coming from the partner, vendor and technology communities. We’re working closely with our New Charter Technologies partners, sharing information on Log4j throughout our nationwide network of elite MSPs and Managed Security providers. In situations like this, having access to additional resources, knowledge and skill sets is a huge asset. We’re committed to leveraging the relationships we have with our New Charter Technologies family to ensure our clients have access to the best possible remediation options.
ADNET’s Security Team has been doing its own testing to determine the nature of the threats. We have a process in place that we can leverage to help determine if systems may be impacted by the Log4j vulnerability. ADNET’s Service Operations Team is performing pre-emptive countermeasures on applications for managed clients per vendor recommendations and is on standby to help clients as needed. For managed clients, we’re looking at client inventory and cross-referencing it against possible exposure at the vendor level to determine the best course of action.
Unfortunately, without vendors examining their source code and providing confirmation that a vulnerability doesn’t exist within it, there’s no way to be 100% certain it doesn’t. We can take steps internally to determine what’s impacted, but without that level of depth, it’s not foolproof and should be considered a guide as opposed to a guarantee. To a certain extent, we have to trust the vendors to do their due diligence.
The Long-term Impacts of the Log4j Vulnerability
Multiple manufacturers have already identified various applications as having potential exposure issues, and it’s only a matter of time before more are discovered. The ADNET Security Team is working closely with our Service Operations Team to remediate these known issues. A good example of this is the vulnerability within VMware vCenter servers (CVE-2021-44228), which we began working on earlier this week. We will continue to monitor the impacts of this vulnerability and our team has action plans and procedures in place to address issues as they’re uncovered.
The widespread implications of this exploit aren’t fully known yet and this is going to be a long process. Because Log4j is deeply embedded in so many applications, there’s no simple way to tackle this vulnerability. There’s ambiguity on exactly what is impacted and how many applications leveraging the Log4j utility are affected, with new details coming out every day. It’s a needle in a haystack situation for vendors to determine everywhere this utility is used. For now, the focus should stay on external systems – anything susceptible that’s configured with internet access should be addressed first. Eventually, internal systems should be reviewed and remediated as well.
This is an incredibly fluid situation, and we will continue to provide updates as more information is revealed. As always when it comes to security vulnerabilities, the importance of tools like Risk Assessments and Vulnerability Scans can’t be overlooked. Managed IT can also help your organization stay on top of vulnerability remediation in many cases.
Vulnerabilities like Log4j require an “all-hands” team approach from the security community and sharing what we have learned is a responsibility we take seriously. At the end of the day, I truly believe that vendors, security professionals, and Managed Service Providers all want the same thing – to keep clients from experiencing the fallout from a vulnerability like this.
If you have questions about this security issue or would like help taking precautions against the Log4j vulnerability, reach out to us. We’re here to help.