In January, the FTC warned companies about the catastrophic consequences of the vulnerability caused by Log4j, a Java library for logging error messages in applications. The cybersecurity issue persists in causing major problems due to the “growing set of attackers” posing risks to companies in the way of data breaches, financial loss, and irreversible damages.
Log4j is a component of applications designed to help developers track activity in systems found in consumer-facing products and services, making it possible to be embedded in applications, and rendering it a data-breach time bomb.
The trouble is caused by the vulnerability (CVE-2021-44228), which allows bad actors to remotely use code to gain access to systems that use Log4j.
“If a server is affected by this vulnerability, the likelihood of a breach is quite high,” said 360 Advanced Pentesting Practice Manager, Bryan Martin. “There are open-source exploits readily available that have been proven to allow successful exploitation and ultimately lead to system access on the server.”
How Serious Is Log4j Vulnerability?
In March, Forbes illustrated the enormity of the continuing Log4j problem with an analogy of defective bolts, which would require every car, airplane, and machine to be disassembled and reassembled with different hardware.
“This is serious due to the level of access that can be obtained and the fact that most of the servers running this service are public facing and easily identified through open-web scanning for vulnerable systems,” Martin said.
All devices exposed to the internet are vulnerable if they’re running Apache Log4j Version 2.0 – 2.14.1.
“Anything that is running this and is exposed to the internet is at risk,” said 360 Advanced Technical Services Manager, Ryan Edmondson. “Cloud, developer tools, and security devices all across the world are using Apache Log4j.”
There are current patches that have been released that alleviate this issue, he said.
“Admins should be staying up-to-date on this as well as other security advisories and checking their system inventory for affected hosts and applying the appropriate patches,” Martin said.
Edmonson recommends compiling an asset list and executing a patch-management strategy because after a breach “it’s too late.”
If the version is 2.14.1 or less, the Log4j service is vulnerable and should be upgraded to the latest stable release.
“Every vulnerability is still a threat until it is patched or properly fixed,” Martin said.
How 360 Advanced Helps
We know you’d rather concentrate on the growth of your business rather than technology threats. That’s where we come in. 360 Advanced helps you identify your Log4j risks through vulnerability scanning and other penetration testing services.
While hackers are getting smarter every day, 360 Advanced actively reviews the latest strategies and vulnerabilities to leverage during testing to help you stay ahead of risks and better protect your assets. We tailor our methods to your company’s unique needs, always with an eye on your budget.
Contact us to schedule your assessment.