A vulnerability has been found in Apache Log4j, a popular logging package for Java. Reports on the internet show that this vulnerability affects a lot of applications: from cloud to developer tools and security devices. Is your system safe of potential breaches? We'll show you what to look for, according to the latest information.
What is Log4j?
The open source Apache logging library Log4j is a widely used tool for collecting diagnostics data from applications written in Java. It is mostly used in enterprise software applications, including custom applications developed by businesses in-house. Thus it forms part of many modern cloud computing services. The Log4j library is included in Apache frameworks such as Apache Struts2, Apache Solr, Apache Druid, Apache Flink, and Apache Swift.
Potential breaches by vulnerabilities
In case you're wondering why the potential threat is so severe for this vulnerability? This has several reasons. For one, it's the popularity of the tool as mentioned above. Another reason is the fact that it's relatively easy for hackers to exploit it. Through Log4j a hacker can activate the vulnerability by sending a malicious string, or series of characters, to a vulnerable application. This means that anyone can in theory compromise a vulnerable application just by entering a malicious string into, for example a login form, or any other kind of interface.
On the 9th of december The Apache Software Foundation has released their first patch that fixes the vulnerability. However a couple of days after the damaging vulnerability was disclosed, a second Log4J vulnerability has come to light. It is often seen that a soon as a vulnerability is discovered and makes this much noise, it regularly signals that there are additional vulnerabilities in the same software discovered by additional research.
Log4j at Tilaa
At Tilaa, we've found that the only potential vulnerable software used was Apache Tomcat, an open source software implementation of the Java Servlet and JavaServer Pages technologies. However none of our customers have this image installed and for now we've excluded it from our offering.
Related software regarding Log4j
On Github an overview of related software is maintained of all known vulnerable and not vulnerable software. Also a reference to the software contains specific information regarding which version has security fixes, and which software still requires mitigation.
Check if your systems are clear of vulnerabilities
This vulnerability has the highest CVSS score of 10.0. One of the first things to check is, if you're vulnerable. Something that is rather complicated by the many ways Log4j can be deployed. Luckily, for Linux servers, GitHub user, Rubo77 created a script that will check for packages that include vulnerable Log4j instances.
The script is still in beta and it's not one 100%, but it's a great place to start your initial identification of vulnerabilities. Understand, this script doesn't test for jar files. So consider this as a launching point.
If you find any vulnerabilities it is recommended to update immediately with the latest available patch. And if the application does not yet provide an updated version, the safest way is to disable it for now.
If you have any further questions regarding this vulnerability or the security of the applications that you use for your business, please don't hesitate to contact our specialists.