The Cost of Ignoring the Log4j Vulnerability

By Sean Atkinson, Chief Information Security Officer

Ignorance is not bliss when it comes to the Log4j vulnerability. In the past month, organizations have been scrambling to understand their exposure to the most recent major cyber threat, called “Log4j.” Log4J is an open-source software module, available to individuals and organizations at no cost. It's used in a large number of commercial and privately-developed software systems to handle audit logging for software systems written using the popular Java programming language. This module is used widely by almost every major software vendor, as well as custom software developers. As a result, there is a scramble in the industry to identify where Log4J is included in their products and release the patches to mitigate the risks associated with the vulnerability.

Potential Log4j Risks

  1. Java applications are deployed everywhere using this logging tool. Hundreds of vendors are known to be vulnerable.
  2. This vulnerability received the maximum cyber risk score (CVSS 10)--which is a very rare occurrence.
  3. Not only is Log4j prevalent, but it is also easy to exploit.
  4. If organizations do not take appropriate action to remedy the vulnerability, both mission impacts, as well as legal and reputational risks, are possible.
Many vendors have already issued patches and provided recommendations on how to determine if an organization has been impacted by using their software. Additionally, CIS has launched the Log4j page on our website. This page provides more information to help you determine if your organization is at risk from this vulnerability and steps you can take address the risks. Some organizations have chosen to ignore the issue altogether. Executives need to be mindful that the mission impact of the Log4j vulnerability is very large. Remediation should be a top priority for all organizations. Not taking action may also have legal consequences. In a recent statement, the FTC expressed intent to "use its full legal authority to pursue companies that fail to take reasonable steps to protect consumer data from exposure as a result of Log4j, or similar known vulnerabilities in the future.”

Why the Concern?

If organizations choose not to address this risk, the Log4j vulnerability can be exploited to perform what is called remote code execution, allowing a malicious actor to take control of an affected server in one of the following ways:
  1. Permitting exfiltration of sensitive data within your organization
  2. Performing denial of service attacks preventing mission accomplishment

This attack sequence is shown in the high-level diagram below.  

Log4j Attack Sequence Diagram

Your Responsibility

Follow the steps below to address the risk for an affected Log4j system:
  1. Inventory affected systems using Log4j. Review CISA's Affected Vendor & Software List
  2. Follow DHS CISA guidance with respect to remediation: Apache Log4j Vulnerability Guidance
  3. Ensure that all custom systems are thoroughly reviewed to identify instances of Log4j and are appropriately patched.
  4. Continue to assess new systems that might be vulnerable. Vigilance is required to address these affected systems/services.

The accompanying flowchart will help organizations assess and address the Log4j vulnerability.