Organizations can become vulnerable even if they take all the right steps to protect themselves. That’s because the software they rely on isn’t perfect and may contain unpatched vulnerabilities. One such vulnerability, called Log4Shell, was discovered during the 2021 holiday season, and it’s still sparking headlines to this day.
Should you be worried about it? Yes, you should, and we explain why in this article. Of course, worrying alone won’t stop cybercriminals from exploiting Log4Shell to get their hands on sensitive data or to infect your computers with ransomware. To do that, you need to take concrete remediation steps, which this article also describes.
What Is Log4Shell?
Log4Shell is a critical vulnerability (rated 10 out of 10 points based on the Common Vulnerability Scoring System v3.X standard) in the Log4j Java-based logging utility, which software developers use worldwide to record application activity to provide an audit trail that can be used to diagnose problems.
The Alibaba Cloud Security Team disclosed the vulnerability on December 9 and was assigned CVE-2021-44228 a day after that. Shortly after, Free Wortley, CEO of open-source data security platform LunaSec, published an initial assessment of the vulnerability and said it was “a design failure of catastrophic proportions.”
Most cybersecurity professionals on social media were similarly horrified by the potential implications of Log4Shell for three main reasons:
- Log4j is a pervasive utility found in most Java-based enterprise software applications.
- The vulnerability can be easily exploited by feeding a vulnerable application a carefully crafted string of text.
- When exploited, Log4Shell allows the attacker to execute arbitrary code, allowing them to do basically anything they want with the vulnerable system.
Critical vulnerabilities like Log4Shell are what cybercriminals dream about at night. When one does appear in the wild, they race to exploit it before affected organizations realize what’s going on and do something about it.
Is Log4Shell a Threat to SMBs?
Immediately after the Log4Shell vulnerability was disclosed, cybercriminals began scanning the internet searching for vulnerable hosts.
“In the time it took most organizations to begin patching/upgrading efforts, there were recorded incidents of the vulnerability being used to compromise systems,” wrote Cymulate Research Lab on December 13, 2021.
The high-profile organizations affected by Log4Shell include Amazon, Broadcom, Cisco, IBM, Oracle, Red Hat, Siemens, Ubiquiti, and others. Such organizations were also among the first to install the initial patch, released on December 10.
The problem is that many small and medium-sized organizations took days and even weeks to learn about Log4Shell. What’s worse, some have yet to perform a Log4Shell vulnerability assessment to determine if the software they rely on daily is vulnerable, giving attackers plenty of time to infiltrate their networks undetected and install backdoors that allow them to come back later.
“Small businesses are at significant risk because plenty of the software they rely on may be vulnerable, and they do not have the resources to patch quickly enough,” said Ofer Maor, CTO of Israeli cloud security startup Mitiga, in an interview for Threatpost.
How Can I Protect My Business Against Log4Shell?
The Cybersecurity and Infrastructure Security Agency (CISA), the Canadian Centre for Cyber Security (CCCS), Germany’s Bundesamt für Sicherheit in der Informationstechnik (BSI), and other cybersecurity authorities have urged organizations to patch vulnerable applications as soon as possible.
Three new versions of Log4j have been released since the initial disclosure of the vulnerability:
- 2.15.0: The fix included in this version of Log4j is incomplete in certain non-default configurations.
- 2.16.0: This version is vulnerable to Denial-of-Service (DoS) attacks.
- 2.17.0: Released on December 17, this version of Log4j finally fixed all known security issues.
To protect your business against Log4Shell, you should first determine which applications depend on the Java-based logging utility and how many of them are vulnerable. Then, you need to install the available patches. Finally, you should conduct an in-depth IT infrastructure assessment to confirm that an attacker hasn’t successfully targeted you.
At Aligned Technology Solutions, we can help you protect your business against Log4Shell and give you the peace of mind that comes with knowing there’s no vulnerable software application hiding on your network. Book a free consultation today, and we’ll contact you.