The Log4j vulnerability is bad. Here’s the good news

Enterprise

Hear from CIOs, CTOs, and other C-level and senior execs on data and AI strategies at the Future of Work Summit this January 12, 2022. Learn more


A critical vulnerability discovered in Log4j, a widely deployed open source Apache logging library, is almost certain to be exploited by hackers — probably very soon. Security teams are working full-throttle to patch their systems, trying to prevent a calamity. (The massive 2017 privacy records breach of Equifax involved a similar vulnerability.) It’s a very bad day, and it could get much worse soon.

But in some regards at least, businesses are in a better position to avoid a catastrophe now than in the past. This being 2021, there are some advantages now when it comes to responding to a bug of this severity, security executives and researchers told VentureBeat.

First and foremost, “the world is primed for responding to these disclosures, with companies moving to mitigate issues within hours,” said Brian Fox, chief technology officer at Sonatype, in an email. “This particular issue is potentially more dangerous because Log4j is widely adopted. [But] the Apache Log4j team pushed out a fix with urgency. How quickly they moved greatly reduced the chance of severely negative, long-term impacts.”

Proactive approach

Dave Klein, director of cyber evangelism at Cymulate, said that while the severity of the situation can’t be downplayed — he expects an exploit within 48 hours — the response to the discovery of the vulnerability shows that “we’re getting better at being proactive.”

“In the past, you literally had zero days that were two years long,” Klein told VentureBeat. “Today, it really has changed. What we’re seeing is a better situation where the world is finding bug bounties useful, finding vulnerabilities, doing proof of concepts … I’d argue that this is a great example of [security in] 2021.”

Crucially, the Apache Log4j team “worked overnight in a nearly unprecedented way to understand and turn around a fix on this quickly,” Fox said. “Oftentimes, zero day reports can take months to come to fruition from report to release. This one appears to have happened within days.”

The heightened awareness around cybersecurity has also led to greater buy-in at the corporate leadership level, including in the boardroom, which makes a difference too, Klein said.

“For me, cybersecurity is finally at a point where the boardroom gets it. And even if they don’t understand it completely, they’re reaching out to someone in technical leadership and saying, ‘I need to understand this better,’” he said. “What’s really happening is, the world’s waking up.”

Technological factors

On top of that, automation technologies for scanning open source code, such as software composition analysis (SCA), have found growing adoption in recent years. So has the use of detection and response capabilities, which could be crucial for uncovering threats in a situation like this.

There does appear to be less reliance on Log4j now than in the past, as well. “There’s more heterogeneity in the Java logging space than there was for a long time,” said Arshan Dabirsiaghi, cofounder and chief scientist at Contrast Security, in an email. “For a long time, the only thing we used was Log4j. It’s not even the default library in some major frameworks anymore.”

Regardless, “we’ll be seeing this vulnerability for the rest of our careers in all the nooks and crannies of our IT footprint,” Dabirsiaghi said. “But five years ago, it would have been a lot worse.”

‘Long tail’ vulnerability

None of this is to minimize how bad the situation is for security teams and how much worse things could get in the event of an exploit.

The threat posed by the remote code execution (RCE) vulnerability is to enable by an attacker to remotely access and control devices.

“Since this vulnerability is a component of dozens if not hundreds of software packages, it could be hiding anywhere in an organization’s network, especially enterprises with massive environments and systems,” said Karl Sigler, senior security research manager at Trustwave SpiderLabs, in an email.

“The fact that this occurred during December just means a lot of holiday time is going to be missed for security teams that have to respond to threats trying to take advantage of this mass vulnerability,” Sigler said. “This vulnerability is going to have a really long tail, and will likely ruin weekends and vacations for many IT and information security professionals across the globe.”

Given the scale of affected devices and exploitability of the bug, “it is highly likely to attract considerable attention from both cybercriminals and nation-state-associated actors,” said Chris Morgan, senior cyber threat intelligence analyst at Digital Shadows, in an email.

Update and be vigilant

Security firms say the vulnerability has impacted versions 2.0 and 2.14.1 of Apache Log4j. Organizations are “advised to update to version 2.15.0 and place additional vigilance on logs associated with susceptible applications,” Morgan said.

Services including Apple iCloud and Steam, and apps including Minecraft, have been found to have vulnerabilities to the issue, according to LunaSec.

Ultimately, according to Amit Yoran, CEO of Tenable, “the good news is that we know about it.”

“The fact that it has come to light means we’re in a race to find and fix it before bad actors take full advantage of it,” Yoran said.

VentureBeat

VentureBeat’s mission is to be a digital town square for technical decision-makers to gain knowledge about transformative technology and transact.

Our site delivers essential information on data technologies and strategies to guide you as you lead your organizations. We invite you to become a member of our community, to access:

  • up-to-date information on the subjects of interest to you
  • our newsletters
  • gated thought-leader content and discounted access to our prized events, such as Transform 2021: Learn More
  • networking features, and more

Become a member