The Cost of Ignoring the Log4j Vulnerability
By Sean Atkinson, Chief Information Security Officer
Ignorance is not bliss when it comes to the Log4j vulnerability. In the past month, organizations have been scrambling to understand their exposure to the most recent major cyber threat, called “Log4j.” Log4J is an open-source software module, available to individuals and organizations at no cost. It's used in a large number of commercial and privately-developed software systems to handle audit logging for software systems written using the popular Java programming language. This module is used widely by almost every major software vendor, as well as custom software developers. As a result, there is a scramble in the industry to identify where Log4J is included in their products and release the patches to mitigate the risks associated with the vulnerability.
Potential Log4j Risks
- Java applications are deployed everywhere using this logging tool. Hundreds of vendors are known to be vulnerable.
- This vulnerability received the maximum cyber risk score (CVSS 10)--which is a very rare occurrence.
- Not only is Log4j prevalent, but it is also easy to exploit.
- If organizations do not take appropriate action to remedy the vulnerability, both mission impacts, as well as legal and reputational risks, are possible.
Why the Concern?If organizations choose not to address this risk, the Log4j vulnerability can be exploited to perform what is called remote code execution, allowing a malicious actor to take control of an affected server in one of the following ways:
- Permitting exfiltration of sensitive data within your organization
- Performing denial of service attacks preventing mission accomplishment
This attack sequence is shown in the high-level diagram below.
Your ResponsibilityFollow the steps below to address the risk for an affected Log4j system:
- Inventory affected systems using Log4j. Review CISA's Affected Vendor & Software List
- Follow DHS CISA guidance with respect to remediation: Apache Log4j Vulnerability Guidance
- Ensure that all custom systems are thoroughly reviewed to identify instances of Log4j and are appropriately patched.
- Continue to assess new systems that might be vulnerable. Vigilance is required to address these affected systems/services.
The accompanying flowchart will help organizations assess and address the Log4j vulnerability.