Organizations can become vulnerable even if they take all the right steps to protect themselves. That’s because the software they rely on isn’t perfect and may contain unpatched vulnerabilities. One such vulnerability, called Log4Shell, was discovered during the 2021 holiday season, and it’s still sparking headlines to this day.
Should you be worried about it? Yes, you should, and we explain why in this article. Of course, worrying alone won’t stop cybercriminals from exploiting Log4Shell to get their hands on sensitive data or to infect your computers with ransomware. To do that, you need to take concrete remediation steps, which this article also describes.
What Is Log4Shell?
Log4Shell is a critical vulnerability (rated 10 out of 10 points based on the Common Vulnerability Scoring System v3.X standard) in the Log4j Java-based logging utility, which is used by software developers around the world to record application activity in order to provide an audit trail that can be used to diagnose problems.
The vulnerability was disclosed by the Alibaba Cloud Security Team on December 9, and it was assigned CVE-2021-44228 a day after that. Shortly after, Free Wortley, CEO of open source data security platform LunaSec, which published an initial assessment of the vulnerability, was quoted saying that it was “a design failure of catastrophic proportions.”
Most cybersecurity professionals on social media were similarly horrified by the potential implications of Log4Shell for three main reasons:
- Log4j is an extremely widespread utility that can be found in most Java-based enterprise software applications.
- The vulnerability can be exploited with ease just by feeding a vulnerable application a carefully crafted string of text.
- When exploited, Log4Shell gives the attacker the ability to execute arbitrary code, allowing them to do basically anything they want with the vulnerable system.
Critical vulnerabilities like Log4Shell are what cybercriminals dream about at night. When one actually does appear in the wild, they race to exploit it before affected organizations realize what’s going on and do something about it.
Is Log4Shell a Threat to SMBs?
Immediately after the Log4Shell vulnerability was disclosed, cybercriminals began scanning the internet in search of vulnerable hosts.
“In the time it took most organizations to begin patching/upgrading efforts, there were recorded incidents of the vulnerability being used to compromise systems,” wrote Cymulate Research Lab on December 13, 2021.
The list of high-profile organizations affected by Log4Shell includes Amazon, Broadcom, Cisco, IBM, Oracle, Red Hat, Siemens, Ubiquiti, and others. Such organizations were also among the first to install the initial patch, which was released on December 10.
The problem is that many small and medium-sized organizations took days and even weeks to learn about Log4Shell. What’s worse, some have yet to perform a Log4Shell vulnerability assessment to determine if the software they rely on every single day is vulnerable, giving attackers plenty of time to infiltrate their networks undetected and install backdoors that allow them to come back later.
“Small businesses are at significant risk because plenty of the software they rely on may be vulnerable, and they do not have the resources to patch quickly enough,” said Ofer Maor, CTO of Israeli cloud security startup Mitiga, in an interview for Threatpost.
How Can I Protect My Business Against Log4Shell?
The Cybersecurity and Infrastructure Security Agency (CISA), the Canadian Centre for Cyber Security (CCCS), Germany’s Bundesamt für Sicherheit in der Informationstechnik (BSI), and other cybersecurity authorities have urged organizations to patch vulnerable applications as soon as possible.
Three new versions of Log4j have been released since the initial disclosure of the vulnerability:
- 2.15.0: The fix included in this version of Log4j is incomplete in certain non-default configurations.
- 2.16.0: This version is vulnerable to Denial-of-Service (DoS) attacks.
- 2.17.0: Released on December 17, this version of Log4j finally fixed all known security issues.
To protect your business against Log4Shell, you should first determine which of your applications depend on the Java-based logging utility and how many of them are vulnerable. Then, you need to install the available patches. Finally, you should conduct an in-depth assessment of your IT infrastructure to confirm that you haven’t already been successfully targeted by an attacker.
At Aligned Technology Solutions, we can help you protect your business against Log4Shell and give you the peace of mind that comes with knowing that there’s no vulnerable software application hiding on your network. Book a free consultation today, and we’ll be in touch with you shortly.