Businesses around the world will spend years dealing with the repercussions from critical vulnerabilities discovered in Apache log4j, Tenable co-founder and CTO Renaud Deraison predicted.
The ubiquity of the Java logging package log4j in software used by everyone from Apache and Apple to Minecraft and Twitter gives threat actors an enormous attack surface to cause widespread global disruption, Huntress senior security researcher John Hammond said. Remote code execution exploits like these are innately dangerous since hackers can carry out an attack with a single line of text, he said.
“Ten years ago, an earthquake and subsequent tidal wave triggered the meltdown of the Fukushima nuclear power plant that continues to plague the region today,” Deraison wrote in a blog post Monday.
“Similarly, the early exploitation of log4j, during which attackers will go after the low-hanging fruit exposed by the vulnerability, will evolve over time to take the form of more complex attacks on more sensitive systems that have less exposure to the internet.”
The US Cybersecurity and Infrastructure Security Agency (CISA) on Saturday urged vendors to immediately identify, mitigate, and patch the wide array of products using software from the log4j library. CISA said it’s proactively reaching out to entities whose networks may be vulnerable and is leveraging its scanning and intrusion detection tools to help identity exposure or exploitation.
“This vulnerability poses a severe risk,” CISA director Jen Easterly said in a statement Saturday. “We will only minimise potential impacts through collaborative efforts between government and the private sector. We urge all organisations to join us in this essential effort and take action.”
CISA urged end users to upgrade to log4j version 2.15.0; identify any external facing devices that have log4j installed; ensure their Security Operations Center (SOC) is taking action on every single alert from devices with log4j installed; and install a web application firewall (WAF) with automatically updating rules so that the SOC can focus on fewer alerts.
“We’re discovering new apps every minute which use log4j in one way or another,” Deraison wrote in his blog post on Monday. “It affects not only the code you build, but also the third-party systems you have in place. Everything from the new printer you’ve bought for the office to the ticketing system you’ve just deployed is potentially affected by this flaw.”
The log4j attack vector is extremely trivial for adversaries, Huntress’ Hammond warned, with a single string of text capable of triggering an application to begin a process that eventually grants an adversary the opportunity to run any code they would like on the target. As a result, Hammond said hackers are taking a spray-and-play approach to wreaking havoc.
“The log4j package may be bundled in with software you use provided by any given vendor,” Hammond wrote in a blog post Friday. “In this scenario, unfortunately, the vendors themselves will need to push the security updates downstream. As you assess your own risk and threat model, please consider the components of the software you use and especially what may be publicly accessible.”
The log4j vulnerability shines a light on the risk associated with relying on open-source code libraries to build enterprise-scale applications, according to Deraison. Security ratings should be assigned to each piece of code in an open-source library to provide users with visibility into how well the open-source libraries are maintained from a security perspective, Deraison said.
“This dependence on what is effectively a wild, wild west of code libraries will continue to leave organisations vulnerable until they invest the time and resources needed to make them more secure,” Deraison wrote. “We’re long past time for the creation of a security classification system for open-source code libraries.”
The vulnerability is known as Log4Shell or LogJam and impacts the default configurations of frameworks such as Apache Struts2, Apache Solr, Apache Druid and Apache Flink. It was first reported by Alibaba Cloud’s security teams to Apache on Nov. 24. The first proof-of-concept exploit was published on GitHub Thursday, prompting adversaries to scan the internet for vulnerable systems, BleepingComputer said.
Apache on Friday released Log4j 2.15.0 to address the vulnerability, and endpoint security vendor Cybereason Friday evening released a ‘vaccine’ package called Logout4Shell that changes a setting on remotely vulnerable Log4j servers to mitigate the vulnerability.