Dive Brief:

• The Cybersecurity and Infrastructure Security Agency (CISA), the FBI and NSA warned organizations across the globe to remain vigilant against active attempts to exploit Log4j vulnerabilities as part of a joint advisory with partner agencies that make up the Five Eyes, which includes the U.K., Canada, Australia and New Zealand. 
• The joint advisory includes mitigation advice to protect against vulnerabilities in CVE-2021-44228 (Log4Shell), CVE-2021-45046 and CVE-2021-45105. U.K. officials also included specific advice for how corporate boards should handle questions surrounding Log4j-related issues. Specific guidance is included to deal with ICS and OT environments as well. 
• Security researchers published reports showing existing web application scanning tools are missing deeply embedded Log4j instances. A significant percentage of companies are not even running scans.

Dive Insight:

The international warning echoed a CISA call to almost 5,000 public and private sector critical infrastructure providers this week, which encouraged vigilance over the holidays.

CISA officials outlined three priority areas, according to Dawn Cappelli, VP and CISO at Rockwell Automation, one of the participants on the call: 

• Mitigate vulnerabilities on internet facing devices
• Patch products with a patch available for Log4j
• Reference a series of more tactical mitigation measures detailed on the CISA website

The CISA website includes links to a GitHub repository with community-sourced information, including vendor and software information. 

"They said they are seeing adversaries bypass web application firewalls, so they are necessary but not sufficient for Log4j defense," said Cappelli. "They are not seeing supply chain attacks yet, but recommend companies check with their third parties to find out their posture for Log4j."

Three of the leading web application scanning tools have been unable to fully detect all instances of Log4j because the vulnerability is nested inside other code, according to report released this week from Rezilion.   

"The biggest challenge lies in detecting Log4j within packaged software in production environments," Liran Tancman, CEO of Rezilion, said in an email. "Java files, such as Log4j, can be nested a few layers deep into other files, which means that a shallow search for the file won't find it."

Log4j has been found in about 10% of the assets scanned for the vulnerability, which include everything from servers to web applications, containers and IoT devices, according to researchers from Tenable.

Tenable research shows 30% of organizations haven't even scanned for the vulnerability, based on telemetry data from the security firm.

"Log4Shell has been identified as one of the biggest cybersecurity risks we've ever encountered, yet many organizations still aren't taking action," Amit Yoran, chairman and CEO of Tenable, said via email. 

Two in five users are still downloading vulnerable versions of Log4j, highlighting the continued risk that threatens to extend the danger to organizations, according to data from Sonatype.