Earlier this month, the Apache Software Foundation announced that its log4j Java-based logging utility (CVE-2021-44228) had been vulnerable to a remote code execution vulnerability (CVE-2021-4428). It was rated a critical severity vulnerability by MITRE and given a CVSS score of 10 out of 10. After the release of the Log4j patch, the vulnerability in the database was exploited in the wild shortly thereafter.
Consequently, several governmental cybersecurity organizations throughout the world, including the United States Cybersecurity and Infrastructure Security Agency, the Austrian CERT, and the United Kingdom National Cyber Security Centre, issued alerts urging organizations around the globe to instantly patch their systems.
During a discussion with Jonathan Care, Senior Director Analyst at Gartner a better understanding of the security implications of the Log4j vulnerability was given. In his presentation, he discussed how organizations are susceptible to threats arising from this vulnerability. He also discussed what measures they should be taking to ensure their enterprise systems are protected against potential threats arising from the vulnerability.
Are There Any Systems Affected by the Log4j Vulnerability?
In addition to affecting enterprise applications and embedded systems, Log4j's vulnerability is extremely widespread. Thus, it may influence their sub-components, as well as their sub-systems. Java-based applications including Cisco Webex, Minecraft, and FileZilla FTP are all examples of affected programs, but this is by no means an exhaustive list. Ingenuity, a NASA helicopter mission in the Mars 2020 program, uses Apache Log4j's logging API to record events, so the vulnerability affects this mission as well.
There are many resources available on the web which list vulnerable systems in the security community. Nevertheless, it should be noted that these lists are constantly changing, which makes it imperative to keep an eye on them. As a result, do not take a non-inclusion of a particular application or system as an indication that it will not be impacted by the patch.
There is a high probability that a particular technology stack will be exposed to this vulnerability. The vulnerability is likely to affect key suppliers such as SaaS vendors, cloud hosting providers, and web hosting providers.
Risk to Enterprise Applications and Systems, if the Vulnerability is Exploited
This vulnerability can be exploited by attackers if it is left unpatched, thus allowing them to take control of and infiltrate enterprise networks if it is left unpatched. The vulnerability is already being exploited by malware, ransomware, and a wide array of other automated threats that are actively taking advantage of this vulnerability.
This vulnerability can be exploited with a great deal of ease – all an attacker needs to do is enter a simple string into a chat window, which is all that it takes.
It is referred to as a "pre-authentication" exploit, which means that to exploit the vulnerability, the attacker does not have to sign into the vulnerable system. You should be prepared for the possibility of your web server becoming vulnerable.
To Protect Their Enterprises From Cybersecurity Threats, What Should CyberSecurity Leaders Do?
Identifying this vulnerability and remediating it as quickly as possible should be one of the top priorities for cybersecurity leaders. The first thing you should do is conduct a detailed audit of any applications, websites, and systems within your domain of responsibility that are connected to the internet or can be viewed as public-facing on the Internet.
Consider the importance of protecting sensitive operational data such as customer details and access credentials, which are stored on systems that contain sensitive operational data.
When you have completed the audit of your remote employees, you should turn your attention to the next step. Personal devices and routers that constitute a vital link in the chain of security should be updated by these provisions. An active, involved approach is likely to be required to achieve this. There is no point in simply issuing a list of instructions since this does not suffice. To gain access to a key enterprise application or data repository, vulnerable routers could be a potential entry point. Your IT team needs to support and cooperate with you in this endeavor.
When an organization has created an incident response plan and initiated formal severe incident response actions, now is the appropriate time to implement formal severe incident response measures. A board of directors, the CEO, the CIO, and the entire organization must be involved in this incident as we believe all levels of the organization should be involved.
Make sure you have informed senior leadership and that they are prepared to answer public questions about this issue. For at least the next 12 months, vigilance will be crucial for preventing the exploitation of this vulnerability and the attack patterns exploiting it. This is because neither is likely to disappear for some time.
