A zero-day vulnerability of Log4j (CVE-2021-44228), an open-source, Java-based logging utility widely used by enterprise applications and cloud services, recently came to light.
Log4j2 incorporates a logging feature called “Message Lookup Substitution.” One of the lookup methods, the JNDI lookup paired with the LDAP protocol, calls a Java class from a remote source giving the ability to execute part of its code, resulting in a scenario in which an attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.
The vulnerability called Log4shell, is considered critical as it impacts almost all version of Log4j (excluding the latest version 2.15.0). Millions of Java applications use this library to log error messages. US CISA Director Easterly said in a statement: “To be clear, this vulnerability poses a severe risk. We will only minimize potential impacts through collaborative efforts between government and the private sector. We urge all organizations to join us in this essential effort and take action.”
ISACA Board Chair Gregory Touhill, CISM, CISSP, Brigadier General (ret), stated: “This is a significant cyber vulnerability that presents great risks to those whose infrastructure has the Log4j code embedded in various applications and systems. Because of that, it likely will take many weeks before many organizations are able to evaluate their applications and systems for risk exposure. Because the vulnerability can be exploited remotely by a single line of code, it is important to move quickly to take recommended mitigation actions now and stay informed through sources like national CERTs, ISACA, original equipment and software manufacturers, and other reputable sources as more analysis yields additional mitigation and risk management recommendations in the coming weeks.”
While many exploitation attempts around the world have been recorded in the last few days, it is important to implement immediate actions and also consider longer-term strategies from lessons learned. In terms of immediate actions, some of the advisory can be found below (steps updated 22 Dec. 2021 to reflect new guidance):
- Search your network for Log4J installations.
- Patch to the latest version of Log4J from the Apache Foundation (while Log4shell was addressed with version 2.15, new vulnerabilities were discovered, leading to subsequent patches 2.16 and 2.17).
- If patching is not possible, apply mitigating measures as reported in this link, although patching is considered the most appropriate solution.
- Keep monitoring the systems that incorporate Log4j for suspicious behavior.
In terms of longer-term strategies and as zero-day vulnerabilities are the norm, importance of detection and response policies and procedures, including the following, must be emphasized:
- Readiness of the Security Operations Center (internal or outsourced service) to be able to react through appropriate training to zero-day vulnerabilities.
- Investment on incident response automation to have the response teams apply procedures in a timely and focused manner.
- Patching policies and procedures in place for keeping digital ecosystems up to date and upgrade-ready, including appropriate response plans and automated testing capabilities to react on a timely manner.
- Cybersecurity maturity assessments and related improvements for ensuring that the organization is able to react in a predicted manner in case of a cyber incident.
- Close collaboration of the cybersecurity, risk management and IT audit teams for providing assurance on the above.
Protecting against zero-day vulnerabilities requires vigilance, well-trained cyber response teams, cyber-mature organizations and, most importantly, collaboration among several different digital trust-related functions in the organization to ensure an in-time reaction and the minimum possible impact.
Editor's Note: Watch ISACA's Chris Dimitriadis and Scott Reynolds discuss the latest Log4Shell updates in this ISACA Live video.