Log4j Vulnerability Still Poses Major Threat

Julie Butterfield August 16, 2022

In January, the FTC warned companies about the catastrophic consequences of the vulnerability caused by Log4j, a Java library for logging error messages in applications. The cybersecurity issue persists in causing major problems due to the “growing set of attackers” posing risks to companies in the way of data breaches, financial loss, and irreversible damages.

Log4j is a component of applications designed to help developers track activity in systems found in consumer-facing products and services, making it possible to be embedded in applications, and rendering it a data-breach time bomb.

The trouble is caused by the vulnerability (CVE-2021-44228), which allows bad actors to remotely use code to gain access to systems that use Log4j.

“If a server is affected by this vulnerability, the likelihood of a breach is quite high,” said 360 Advanced Pentesting Practice Manager, Bryan Martin. “There are open-source exploits readily available that have been proven to allow successful exploitation and ultimately lead to system access on the server.”

How Serious Is It?
In March, Forbes illustrated the enormity of the continuing Log4j problem with an analogy of defective bolts, which would require every car, airplane, and machine to be disassembled and reassembled with different hardware.

“This is serious due to the level of access that can be obtained and the fact that most of the servers running this service are public facing and easily identified through open-web scanning for vulnerable systems,” Martin said.

All devices exposed to the internet are vulnerable if they’re running Apache Log4j Version 2.0 – 2.14.1.

“Anything that is running this and is exposed to the internet is at risk,” said 360 Advanced Technical Services Manager, Ryan Edmondson. “Cloud, developer tools, and security devices all across the world are using Apache Log4j.”

There are current patches that have been released that alleviate this issue, he said.

“Admins should be staying up-to-date on this as well as other security advisories and checking their system inventory for affected hosts and applying the appropriate patches,” Martin said.

Edmonson recommends compiling an asset list and executing a patch-management strategy because after a breach “it’s too late.”

If the version is 2.14.1 or less, the Log4j service is vulnerable and should be upgraded to the latest stable release.

“Every vulnerability is still a threat until it is patched or properly fixed,” Martin said.

How 360 Advanced Helps
We know you’d rather concentrate on the growth of your business rather than technology threats. That’s where we come in. 360 Advanced helps you identify your Log4j risks through vulnerability scanning and other penetration testing services.

While hackers are getting smarter every day, 360 Advanced actively reviews the latest strategies and vulnerabilities to leverage during testing to help you stay ahead of risks and better protect your assets. We tailor our methods to your company’s unique needs, always with an eye on your budget.

Contact us to schedule your assessment.

 

Team Bios

Bryan Martin, Pentesting Practice Manager

Bryan Martin, Pentesting Practice Manager, is one of 360 Advanced’s ethical hackers and has led hundreds of penetration testing engagements from startups to Fortune 500 organizations. He is an expert programmer who has developed proprietary software for threat intelligence.

Bryan’s cybersecurity career began with the Navy where he trained as a Joint Cyber Analyst and became a Network Information and TAO Analyst, conducting analyses of over 900 targets of high interest and directed Computer Network Operations planning. When he was at the Navy Cyber Defense Operations Command in Suffolk, Virginia, he was awarded the Navy Achievement Medal. While there, he earned his Security+ certification and led a large team to monitor 15 Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) sensors across the Department of Defense Information Network.

In Bryan’s civilian role, he spent many years leading a penetration testing team serving public-sector clients, including partnering with 360 Advanced and their clients. This experience led him to his current position as a Manager of the penetration testing team with 360 Advanced.

 

Ryan Edmondson, Technical Services ManagerRyan Edmondson, OSCP, OSWP, CSIS, PWAPT, eWPT, ePTX, is a Technical Services Manager and Lead Penetration Tester. At 360 Advanced, he is responsible for penetration testing projects, including red teaming.

Ryan is an experienced Information Technology Support Specialist, with advanced skills in Network Security, Penetrating Testing, Vulnerability Assessments, and Red Team exercises, as well as enterprise-level IT Infrastructure, computer repair, technical support, customer-relationship management, and operational planning.

He earned his degree in Network and System Administration from Strayer University after serving in the US Army as an Infantry Solider for six years where he conducted widescale reconnaissance and surveillance operations.