Since security incidents due to the Java vulnerability Log4j can hardly be avoided, IT managers should not only take technical measures. […]
From the point of view of many IT security professionals, December 9, 2021 was a black day: a particularly serious one was discovered in the Apache logging package Log4j (CVE-2021-44228), the particularly widespread and popular Java logging library. The so-called Log4Shell vulnerability can be exploited by attackers particularly easily to execute malicious code. Patches, on the other hand, are rather complicated, which means that this problem could be as long-lasting as the corona pandemic.
The security organization MITRE classified the vulnerability as critical and rated it with a maximum CVSS severity (CSSV = Common Vulnerability Scoring System) of ten points. Shortly after, the first attackers began to exploit the Log4j vulnerability. Government cybersecurity institutions around the world, including the BSI, were prompted to immediately issue warnings urging companies to patch their systems immediately.
Jonathan Care, Senior Director analyst at Gartner, is already observing an “extremely wide spread of the Log4j vulnerability” today. It concerns enterprise applications as well as embedded systems and their sub-components. Java-based applications such as Cisco Webex, Minecraft or FileZilla FTP are examples of affected programs, but the list is by no means complete. The vulnerability even affects the Mars mission “Helicopter”, where Apache uses Log4j for event logging – a claim that Nasa, however, vigorously denies.
Security professionals are now cataloguing the affected systems on Github. Of course, this list cannot be complete. It does not guarantee that unnamed systems will not be affected. In addition, Gartner assesses the probability that this vulnerability will be exploited in more and more systems as high. Even if a certain technical stack does not use Java, security managers should assume that important supplier systems – SaaS providers, cloud hosting providers and web server providers – would do so.
If the vulnerability is not fixed, attackers can use it to take over servers, applications and devices and penetrate corporate networks. There have been numerous reports of ransomware and other automated threats actively exploiting the vulnerability.
The attack threshold is particularly low. The exploit takes place even before the, which means that attackers do not have to have logged in to an affected system in order to penetrate. In other words, IT security professionals should assume that their web servers are vulnerable.
Gartner recommends that Chief Information Security Officers (CISOs) make the identification and remediation of the Log4j vulnerability an absolute and immediate priority. At the beginning, you should make a detailed examination of all applications, websites and systems in your area of responsibility that are connected to the Internet or can be considered publicly accessible. This also applies to manufacturer products and cloud-based services that are hosted by the user. Priority should be given to systems that contain sensitive operational data, for example customer data or access authorizations.
Once this check is complete, IT security managers should turn their attention to external employees and make sure that they update their personal devices and routers. These are an important link in the safety chain. Here it will not be enough just to issue a list of instructions. After all, vulnerable routers represent a potential access to important corporate applications and databases. In order to make progress here, the security team will have to rely on cooperation with the entire IT department.
Gartner also recommends preparing the response to serious incidents in accordance with the existing incident response strategy. It was important to involve all levels of the company – including the CEO, the CIO and the Board of Management. CISOs should definitely inform the management level in detail and prepare them for having to answer questions in public in case of doubt. The Log4j vulnerability and the attack patterns they exploit will remain acute for quite a while. Gartner advises to be particularly vigilant for at least the next twelve months.