Gartner explains what security leaders need to know and do about the Log4j vulnerability.
Apache Software Foundation recently released a security advisory addressing a remote code execution vulnerability affecting its Log4j Java-based logging utility. MITRE rated the vulnerability as a critical severity and assigned it a CVSS score of 10/10.
Attackers in the wild began exploiting the Log4j vulnerability quickly, prompting global government cybersecurity institutions, including the United States Cybersecurity and Infrastructure Security Agency and Austria's CERT, to issue alerts urging organisations to patch their systems immediately.
Jonathan Care, Gartner senior director analyst, explains some risks the vulnerability poses for organisations and the steps security leaders should take to secure their enterprise systems against potential associated threats.
How widespread is the Log4j vulnerability, and what kinds of systems are affected?
Care says the Log4j vulnerability is prevalent and can affect enterprise applications, embedded systems, and subcomponents. He says Java-based applications including Cisco Webex, Minecraft and FileZilla FTP are all examples of affected programs, but this is by no means an exhaustive list. The vulnerability even impacts the Mars 2020 helicopter mission, Ingenuity, which uses Apache Log4j for event logging.
The security community has created resources cataloguing vulnerable systems, but it's important to note that these lists are constantly changing, so if a particular application or system is not included, don't take it as assurance that it isn't impacted.
"Exposure to this vulnerability is highly likely, and even if a particular tech stack does not use Java, security leaders should anticipate that key supplier systems, such as SaaS vendors, cloud hosting providers and web server providers, do," says Care.
Presuming the vulnerability is exploited, what threat does this pose to enterprise applications and systems?
If left unpatched, attackers can use this vulnerability to take over computer servers, applications and devices, and infiltrate enterprise networks.
"We're already seeing reports of malware, ransomware and other automated threats actively exploiting the vulnerability," says Care.
"The attack barrier for this vulnerability is extremely low. It only requires an attacker typing a simple string into a chat window. The exploit is 'pre-authentication,' which means an attacker doesn't need to sign in to a vulnerable system to overcome it. In other words, expect that your web server is vulnerable."
What steps should cybersecurity leaders take to protect their enterprises?
Care says cybersecurity leaders need to make identification and remediation of this vulnerability an absolute and immediate priority. "Start with a detailed audit of every application, website and system within your domain of responsibility that is internet-connected or can be considered public-facing."
He says this includes self-hosted installations of vendor products and cloud-based services, and that particular attention should be paid to systems that contain sensitive operational data, such as customer details and access credentials.
"Once the audit is complete, turn your attention to remote employees, and ensure that they update their personal devices and routers, which form a vital link in the security chain," says Care.
"This will likely require a proactive, involved approach, as it is not sufficient to simply issue a list of instructions, given vulnerable routers provide a potential entry point into key enterprise applications and data repositories. You'll need the support and cooperation of the broader IT team."
Overall, this is the time to invoke formal severe incident response measures in line with organisational incident response plans. This incident merits involvement at all levels of the organisation, including the CEO, CIO and board of directors.
"Ensure you've briefed senior leadership and that they're prepared to respond to questions publicly. This vulnerability and the attack patterns exploiting it are unlikely to subside for some time, so active vigilance will be essential for at least 12 months.