On December 10, 2021, multiple media outlets, the Cybersecurity and Infrastructure Security Administration (CISA), and the director of cybersecurity at the National Security Agency (NSA) began alerting to a significant vulnerability in an open source Apache logging library called “Log4j.” According to multiple sources, software has been publicly released that exploits this vulnerability and allows an attacker to gain full control of affected servers. Log4j is widely used and will take some time to patch and remediate, making many corporate systems and cloud environments vulnerable to attack.
Apache Log4j is a java-based logging utility that is incorporated into numerous frameworks and applications, and used by many major cloud services. On December 6, 2021, Apache announced version 2.15.0 of Log4j, noting that it corrects a critical remote code execution vulnerability, CVE-2021-44228. On December 9, 2021, several cybersecurity- and technical-focused media outlets began reporting that the vulnerability was being actively exploited and could result in a full system takeover.
The seriousness of the vulnerability combined with the widespread adoption of Log4j has resulted in alerts from CISA and the NSA. NSA Cybersecurity Director Rob Joyce tweeted that “[t]he log4j vulnerability is a significant threat for exploitation due to the widespread inclusion in software frameworks, even NSA’s GHIDRA.” Joyce also noted that this vulnerability underscores the need for increased adoption of software bill-of-materials (BOM) practices.
Practical Next Steps
Companies will need to work quickly to assess whether, and to what extent, they or their service providers are using Log4j. The following are questions and considerations for corporate counsel:
Are we at risk? Ask IT and security personnel whether any software used in the company’s environment uses Log4j. In particular, inquire whether the company uses the vulnerable version of Apache.
Do our products use Log4j? Your company’s software products may use Log4j. If so, assess the exposure and establish a plan for upgrading to the latest safe version. Your customers will likely be asking, and you should have a response.
Ask your service providers whether their products or environment use Log4j. If so, ask whether they have patched to the latest version of Log4j, and have them provide a patch road map if they haven’t patched already.
Ready your incident response team and confirm that after-hours contact information for your incident response team is up to date.
Confirm your security operations are monitoring Internet-facing systems for indicators of compromise and are prepared to execute your incident response plan.
Some public threat intel outlets have identified malicious IP addresses that are actively scanning Internet-facing systems for this vulnerability. Consider blacklisting those malicious IPs.
If patching is not an immediate option, consider other containment measures to limit the potential impact of this vulnerability (e.g., sandboxing, air gapping, taking offline).
Finally, if involved in a corporate acquisition, query the target entity with similar steps and questions as outlined above, and evaluate the risk accordingly.