Log4J Vulnerability: What, Why and How

What is Log4j?

Log4j is a software library built in Java that’s used by millions of computers worldwide running online services. It’s described as a zero-day (0 day) vulnerability and rated the highest severity under the Common Vulnerability Scoring System (CVSS; CVE-2021-44228). It was rated a 10 out of 10 on the CVSS, due to the potential impact that it can have if leveraged by attackers. This vulnerability allows attackers to remotely control and execute code on vulnerable machines.

While Log4j is maintained by Apache, it is utilized in many vendor applications and appliances as well as in custom-built systems. The following reference lists the known affected vendors as of December 12, 2021 but should not be considered definitive. Organizations should contact vendors directly for additional information.

• CISA Vendor DB
• BleepingComputer
• GitHub: Dutch NCSC List of affected Software
• GitHub: SwitHak

Why is it Critical for Organizations to Take it Seriously?

This vulnerability, also known as Log4Shell, allows remote code execution in many applications through web requests and without authentication, which enables all the information technology (IT) and operational technology (OT) infrastructure.

Log4j vulnerability, which is both vendor-agnostic and affects both proprietary and open-source software, will leave several industries exposed to remote exploitation, including electric power, water, food and beverage, manufacturing, and transportation. Log4j is widely used in a variety of consumer and enterprise services, websites, and applications, as well as in OT products, to log security and performance information. The agency identified that an unauthenticated remote hacker could exploit this vulnerability to take control of an affected system.

Possible risks to OT:

• Possible organizational impacts ranging from minimal, to a crippling attack and possible information theft, as well as a loss of service
• Business operations disruption
• The need to disclose where personal data was affected
• Costs associated with incident response and recovery
• Reputational damage

How Do You Protect Yourself?

Identify, Access, Prioritize, and Action: These are the 4 pillars which will help any OT industries to tackle this vulnerability in a well-approached manner. The severity of the Apache Log4j vulnerability is beginning to unravel in the industrial sector, as vendors begin to identify the presence of the cross-cutting vulnerability in their product lines.

• Identify all the assets, including internet-facing and isolated assets that allows data inputs and use of Log4j java library anywhere in the communication stack.
• Access the OT landscape of your organization and understand the risk vs. remediation approach. Update or isolate the affected asset based on this outcome.
• Prioritize the critical vs. non-critical areas and work on mitigation strategies like monitoring for odd traffic patterns (e.g., JDNI LDAP/RMI outbound traffic, DMZ systems initiating outbound connections, etc.). Install or modify an existing Web Application Firewall (WAF) with rules to detect the presence of vulnerabilities.
• Create an action team who will drive the incident response at all levels and keep the key stakeholders engaged with all the activities.

It is important to note that this vulnerability has impacts to both IT and OT which use Java in their codebase, and with the severity of this vulnerability, more sophisticated variations of Log4j exploits will emerge with a higher likelihood of directly impacting OT networks. Organizations will need to drive the approach from the bottom up, as once the networks and applications are identified the landscape can be pinpoint and the action plan can be drafted. Keep in mind that it is imperative to always stay up to date with advisories as it keeps updating.

Further reading:

• Log4j Detection and Response Playbook
• Log4j vulnerability now hits industrial sector, as CISA calls upon users to identify, mitigate, patch affected products
• Alert: Apache Log4j vulnerabilities