Federal authorities, technology vendors race to contain Log4j vulnerability

The Cybersecurity and Infrastructure Security Agency is working closely with public and private sector partners to assess the impact of the Log4j vulnerability, which is considered to pose a severe risk, according to CISA Director Jen Easterly.

The Log4j vulnerability allows unauthenticated remote execution in applications using the Java logging library. These tools are used in a wide range of applications and have enormous implications for the IT security landscape, according to researchers. Billions of devices currently use Java and the potential threat is being compared with some of the most serious security breaches seen over the past decade.

Authorities have formed a senior leadership group within the Joint Cyber Defense Collaborative (JCDC) that is designed to help bring the nation's strongest capabilities to bear against the vulnerability. Both the FBI and NSA are among the agencies working to contain this threat.

"This vulnerability, which is being widely exploited by a growing set of threat actors, presents an urgent challenge to network defenders given its broad use," Easterly said in the statement released on Saturday. "End users will be reliant on their vendors and the vendor community must immediately identify, mitigate and patch the wide array of products using this software."

Vendors also should communicate with customers to make sure that end users know that their products have the vulnerability and should prioritize software updates, according to Easterly.

CISA has added the vulnerability to its catalog of known exploited vulnerabilities, which Easterly said compels federal agencies — and sends a signal to non-federal partners — to urgently patch or remediate the vulnerability. CISA is also proactively reaching out to entities that may have vulnerable networks, and is leveraging its scanning and intrusion detection tools to identify potential exposure.

"Attackers are starting to use this vulnerability to target victims with cryptominers and botnet attacks, but expect more devastating attacks (like ransomware) leveraging this vulnerability in the future," Forrester Analyst Allie Mellen said in an email. "This vulnerability will be used for months if not years to attack enterprises, which is why security teams must strike while the iron is hot."

Widespread scanning has already started by potential threat actors looking to search for affected applications, according to researchers at Sonatype. The vulnerability is considered highly dangerous because it requires very low levels of skill for an attacker to execute.

Experts are comparing it to the Struts vulnerability that was used in the 2017 attack against Equifax, which exposed the data of more than 147 million people.

Attackers can execute this attack remotely, anonymously and without login credentials, according to Brian Fox, CTO at Sonatype.

Wide exposure

The Java logging package Log4j is widely used by software developers creating somewhat of a waterfall effect that ranges from widely used applications down to the various businesses and individual people that used these applications.

The vulnerability is potentially of major significance because it has such a wide attack surface, according to John Hammond, senior security researcher at Huntress.

Organizations that use Apache should immediately upgrade to log4j-2.1.50.rc2 and make sure their Java instances are up to date, according to Hammond. Java powers a number of products used in the enterprise, ranging from custom-developed code to commercial off-the-shelf software, leaving some unaware that they might even use the product.

Hammond also warned that there is no universal patch, and therefore many vendors will roll out their own patches and security updates that conform to their software.

"The good news is that Apache has a patch available, but because it's upstream with Apache, it has a bit of a trickle effect," said Roger Koehler, VP of threat operations at Huntress.

The update will need to trickle down to software vendors that can then apply the update and test their code, he said. "Add in the time required to notify users that an update is available, and the process can end up taking quite some time before businesses have actually patched their systems."

The vulnerability points out what some researchers see as the inherent risk of relying on open source code libraries that can often provide simplicity and speed to bring software to market but in some cases do so at the expense of security.

The Log4j vulnerability points out the risks of working with open-source code libraries to build enterprise scale applications, according to Glen Pendley, deputy chief CTO at Tenable.

"Many organizations around the world rely on open-source libraries as a key element in their ability to bring applications to market quickly," Pendley said. "Yet, these libraries often stop short of a security first approach."

Tenable CEO Amit Yoran called Log4j the "single biggest, most critical vulnerability of the last decade" and warned that when all the full research is done, it may become the biggest vulnerability in the history of modern computing.