Hear from the CIO, CTO and other C-level and senior executives on data and AI strategies at the Future of Work Summit on January 12, 2022. Learn more
Log4Shell, Apache Log4j The vulnerability that has plagued every security team since its announcement on Thursday, poses a massive cyber security risk because the vulnerabilities are too easy to use and Log4j is widely used in software. But the widespread deployment of Log4j, on its own, is why the Log4Shell defect is not so troublesome. The most relevant part may be the fact that most of the use of Log4j has inevitably been buried, making it extraordinarily difficult to find and fix.
Log4j is an open source logging library that is often packed with other pieces of software to work those extra pieces. But in many cases, there are no real or clear boundaries between Log4j and those pieces of software, said John Hammond, senior security researcher at Huntress.
“Log4j is versatile and forms an important foundation block for a lot of software – and those are the less obvious pieces that make this such a difficult situation,” Hammond said. “The way Log4j is packaged with other software or programs makes it difficult to detect which applications may be potentially vulnerable.”
Hard to find
Snyk’s research found that in Java applications that use Log4j, 60% use the logging library “indirectly” – meaning they use a Java framework that contains Log4j instead of using Log4j directly.
“It’s really hard to find out if you’re using it – and it’s hard to prevent,” said Guy Podzarni, co-founder and president of Snyk.
Log4Shell vulnerabilities affect enterprise software and cloud services extensively, and many applications written in Java are potentially vulnerable. Remote code execution (RCE) vulnerabilities can eventually enable an attacker to remotely access and control devices. Researchers have so far uncovered exploits, including the deployment of malware and the installation of Cobalt Strike, a popular tool with cybercriminals who are often seen as precursors to deploying ransomware.
Hides in code
According to Amy Lutwalk, co-founder and chief technology officer at Visa, internal research from Visa suggests that more than 89% of people in all environments have sensitive Log4j libraries. And “in many of them, Dave teams are convinced they have zero exposure – and are surprised to learn that some third-party components are actually created using Java,” Lutwalk said.
Dor Daly, director of information security at Vulcan Cyber, agreed that the widespread adoption of Log4j “may have hidden in a lot of code.”
While Log4j is not unique to the situation, “developers do not fully know what software they are running” is likely to be re-opened by this vulnerability, Daly said.
The whole purpose of development libraries, of course, is to simplify the developer’s life by reducing repetitive tasks and providing some abstraction, said Vitor Ventura, senior security researcher at Cisco Telus.
However, in this situation, “it is entirely possible that the developers do not know that Log4j is being used on the components they are using, whether it be a library or an application server,” Ventura said.
Fix what you know
During the early stages of responding to vulnerabilities, Casey Ellis, founder and chief technical officer of Bugcroad, said, “It’s important to focus on what you know and can ‘improve’ first.”
“But it would also be prudent for organizations ખાસ especially large organizations to act on the assumption that Log4j is an unfamiliar sensitive environment, and to make plans to mitigate the risks it poses,” Ellis said.
Controls that may help reduce the risk posed by “shadow” Log4j include blocking known malicious Log4Shell attempts using web application firewall (WAF) technology and other similar filtering technologies, as well as the exit of outbound connections to the firewall and internal DNS. Includes filtering. Alice.
Inbound filtering will work with noise and will limit the casual attacker’s ability to exploit the unfamiliar Log4j instance, and will limit the effect of aggression filtering data exfiltration – or the recovery of the second phase payload – if an attacker succeeds. Against a sensitive example, he said.
Davis McCarthy, chief security researcher at Voltix, said businesses should adhere to the principles of level protection and assume that it is not “if” but “when” you are being hacked.
Along with WAF technology, other approaches to “virtual patching” could include implementing an infiltration prevention system (IPS), McCarthy said. Businesses should also enable workload segmentation and traffic filtering to ensure that only approved connections occur with and from their applications, he said.
“It often takes weeks or more to patch a vulnerability like this, and we don’t necessarily see the worst of it,” McCarthy said.
Rick Holland, chief information security officer at Digital Shadows, said that in a world where vendors “do not report or even know all the software used in their solution, defenders should return to investigation and response.” The principles of network segmentation, surveillance, and minimal privilege of minimum privilege are the restrictions that defenders must take advantage of to minimize these risks, Holland said.
Content software bill
Hollande said that in the long run, businesses should collectively force vendors to provide a Software Bill of Materials (SBOM), which details all components in a piece of software.
SBOMs will help in such a situation as they will show all the transition dependencies of the application, along with the original open source library that was purposely brought into the application, said Brian Fox, chief technical officer of Sonatype.
After all, “if you don’t pay attention to your infected dependence, you’re not really protecting yourself completely,” Fox said. “However this is a definite thing. With the right tools and automation, companies and vendors can stay on top of this. And it all starts with a software bill of materials for every single application in your organization.”
VentureBeat’s mission is to become a digital town square for technical decision makers to gain knowledge about transformative technology and practices. Our site delivers essential information on data technologies and strategies so you can lead your organizations. We invite you to access, to become a member of our community:
- Up-to-date information on topics of interest to you
- Our newsletters
- Gated idea-leader content and discounted access to our precious events, such as Transform 2021: Learn more
- Networking features and more
Become a member