We are excited to bring Transform 2022 back in-person July 19 and virtually July 20 - 28. Join AI and data leaders for insightful talks and exciting networking opportunities. Register today!
A critical vulnerability discovered in Log4j, a widely deployed open source Apache logging library, is almost certain to be exploited by hackers — probably very soon. Security teams are working full-throttle to patch their systems, trying to prevent a calamity. (The massive 2017 privacy records breach of Equifax involved a similar vulnerability.) It’s a very bad day, and it could get much worse soon.
But in some regards at least, businesses are in a better position to avoid a catastrophe now than in the past. This being 2021, there are some advantages now when it comes to responding to a zero-day bug of this severity, security executives and researchers told VentureBeat.
First and foremost, “the world is primed for responding to these disclosures, with companies moving to mitigate issues within hours,” said Brian Fox, chief technology officer at Sonatype, in an email. “This particular issue is potentially more dangerous because Log4j is widely adopted. [But] the Apache Log4j team pushed out a fix with urgency. How quickly they moved greatly reduced the chance of severely negative, long-term impacts.”
Dave Klein, director of cyber evangelism at Cymulate, said that while the severity of the situation can’t be downplayed — he expects an exploit within 48 hours — the response to the discovery of the vulnerability shows that “we’re getting better at being proactive.”
“In the past, you literally had zero days that were two years long,” Klein told VentureBeat. “Today, it really has changed. What we’re seeing is a better situation where the world is finding bug bounties useful, finding vulnerabilities, doing proof of concepts … I’d argue that this is a great example of [security in] 2021.”
Crucially, the Apache Log4j team “worked overnight in a nearly unprecedented way to understand and turn around a fix on this quickly,” Fox said. “Oftentimes, zero day reports can take months to come to fruition from report to release. This one appears to have happened within days.”
The heightened awareness around cybersecurity has also led to greater buy-in at the corporate leadership level, including in the boardroom, which makes a difference too, Klein said.
“For me, cybersecurity is finally at a point where the boardroom gets it. And even if they don’t understand it completely, they’re reaching out to someone in technical leadership and saying, ‘I need to understand this better,'” he said. “What’s really happening is, the world’s waking up.”
On top of that, automation technologies for scanning open source code, such as software composition analysis (SCA), have found growing adoption in recent years. So has the use of detection and response capabilities, which could be crucial for uncovering threats in a situation like this.
There does appear to be less reliance on the Log4j Java library now than in the past, as well. “There’s more heterogeneity in the Java logging space than there was for a long time,” said Arshan Dabirsiaghi, cofounder and chief scientist at Contrast Security, in an email. “For a long time, the only thing we used was Log4j. It’s not even the default library in some major frameworks anymore.”
Regardless, “we’ll be seeing this vulnerability for the rest of our careers in all the nooks and crannies of our IT footprint,” Dabirsiaghi said. “But five years ago, it would have been a lot worse.”
‘Long tail’ vulnerability
None of this is to minimize how bad the situation is for security teams and how much worse things could get in the event of an exploit.
The threat posed by the remote code execution (RCE) vulnerability in Log4j is to potentially enable an attacker to remotely access and control devices.
“Since this vulnerability is a component of dozens if not hundreds of software packages, it could be hiding anywhere in an organization’s network, especially enterprises with massive environments and systems,” said Karl Sigler, senior security research manager at Trustwave SpiderLabs, in an email.
“The fact that this occurred during December just means a lot of holiday time is going to be missed for security teams that have to respond to threats trying to take advantage of this mass vulnerability,” Sigler said. “This vulnerability is going to have a really long tail, and will likely ruin weekends and vacations for many IT and information security professionals across the globe.”
Given the scale of affected devices and exploitability of the bug, “it is highly likely to attract considerable attention from both cybercriminals and nation-state-associated actors,” said Chris Morgan, senior cyber threat intelligence analyst at Digital Shadows, in an email.
Update and be vigilant
Security firms say the vulnerability has impacted version 2.0 through version 2.14.1 of Apache Log4j. Organizations are “advised to update to version 2.15.0 and place additional vigilance on logs associated with susceptible applications,” Morgan said.
One silver lining is that the configuration mitigations for the vulnerability are “straightforward” and can be easily implemented, said John Bambenek, principal threat hunter at Netenrich, in an email.
Services including Apple iCloud and Steam, and apps including Minecraft, have been found to have vulnerabilities to the RCE vulnerability, according to LunaSec.
Ultimately, according to Amit Yoran, CEO of Tenable, “the good news is that we know about it.”
“The fact that it has come to light means we’re in a race to find and fix it before bad actors take full advantage of it,” Yoran said.
VentureBeat's mission is to be a digital town square for technical decision-makers to gain knowledge about transformative enterprise technology and transact. Learn more about membership.