This log library is widely used, and is found in a wide range of appliances, and software from companies such as Apache Struts and Tomcat, Solr, Linux distributions, Blackberry Symantec, Apple etc.
Who’s most affected?
Unfortunately, there is no specific type of organization that is likely to be affected more than another, and it’s difficult for an individual business to see if they’re vulnerable. For example, while a customer might not have the vulnerability in their own version of the software they have written, it is entirely possible that appliances they use (such as VPN devices, cloud providers etc.) may have the vulnerability.
As this is an Apache library, it’s more likely to be running on Linux servers; however, it’s a Java vulnerability, and Java can run on multiple platforms. Therefore Windows, Linux and Apple servers could all be vulnerable. We suspect companies between $25m to $1Bn are the most at risk, due to the fact that they are likely to be running vulnerable software/devices. This vulnerability heightens ransomware risk and create an exposure for ransomware gangs to exploit this vulnerability to get initial access into a customer’s network install ransomware.
What should you tell your clients?
Key questions to ask your clients:
- Are you aware of the recent log4j vulnerability aka CVE-2021-44228 or log4shell?
- Have you assessed your exposure to it for internally developed applications?
- Have you spoken to your hardware/software/cloud vendors and assessed whether their services are impacted?
- Do you have a plan to deploy updates from outcomes of the questions above?
(Please note these are external links and are not endorsed or vetted by BOXX):
Apache Log4j Advisory
CCCS AV21-626 Apache Security Advisory
CERT United Kingdom – Alert: Active scanning for Apache Log4j 2 vulnerability (CVE-2021-44228)
CERT New Zealand – Log4j RCE 0-day actively exploited
Florian Roth – log4j RCE Exploitation Detection (Grep and YARA)
Greynoise IP List – CVE-2021-44228 Apache Log4j RCE Attempts
GitHub community resource identifying vulnerable applications
NCSC-NL : Resource GitHub
CISA Apache Log4j Vulnerability Guidance