A major vulnerability was discovered Thursday in the technology Log4j, which is a popular logging package in Java.
According to Ashan Dabirsiaghi, co-founder and chief scientist at Contrast Security, Log4j is the most popular logging framework for Java. Essentially any Java application that logs data uses it, and it is used by millions of applications.
Security company Sonatype claims that Log4j has been downloaded 28.6 million times just in the past four months, and that it is a dependency in over 7,000 open-source projects.
Already it has been reported that services like Steam, Apple iCloud, and Minecraft are vulnerable, and that just changing an iPhone’s name could trigger the vulnerability on Apple’s servers, according to LunaSec.
“Make no mistake, this is the largest Java vulnerability we have seen in years,” said Dabirsiaghi. “It’s absolutely brutal. There are three main questions that teams should answer now—where does this impact me, how can I mitigate the impact right now to prevent exploitation, and how can I locate this and similar issues to prevent future exploitation?”
To mitigate the risks, Mike Wiacek, founder and CEO of security company Stairwell, recommends companies assess where they need to look for vulnerabilities, what machines need to be patched, and what software needs to be updated. In addition, to reduce risk while patching efforts are underway, he recommends companies make use of tools that allow them to rapidly scan their assets for the vulnerabile Log4j packages.
“One approach could include searching across file metadata such as file paths and file names or hashes,” said Wiacek. “Another approach could include scanning enterprise file content with customized YARA rules to identify files and artifacts associated with log4j components. These types of searches can accelerate otherwise slow and laborious defensive processes and further help organizations assess where related software exists, where it is out of date, where it is vulnerable, and where to look for post-exploit activity should an attacker make a move before patching can occur.”
According to Dr. Richard Ford, the CTO of cybersecurity company Praetorian, researchers at his company were able within a few hours to develop a fully working exploit for the vulnerability.
“The company’s engineers and researchers have been working since last night in a war room to scan its customers and are finding vulnerabilities in the field,” said Ford. “Worse yet, we’re also inadvertently discovering the vulnerability in third parties who are on adjacent or integrated systems. Naturally, we are following responsible disclosure policies so cannot call out these systems by name, but it is one of the largest exposures we have seen at Internet scale. All vulnerabilities are typically scored by how dangerous they are: this vulnerability has practically the highest score possible, and it seems likely that even some professionals are unaware of its potential impact. The situation is rapidly evolving, and we are learning a great deal about the scope and impact of this vulnerability as we quickly work with customers to help mitigate the risk in the short term while they work on a long term solution, which will require patching all instances of the vulnerable code – a process which could take months.”
Sonatype’s CTO Brian Fox added: “This new Log4j vulnerability is likely going to be another ‘flashbulb memory’ event in the timeline of significant vulnerabilities. It is the most widely used logging framework in the Java ecosystem. The scope of affected applications is comparable to the 2015 commons-collection vulnerability (CVE 2015-7501) because attackers can safely assume targets likely have this on the classpath. The impact is comparable to previous Struts vulnerabilities, like the one that impacted Equifax, because the attacks can be done remotely, anonymously without login credentials, and leads to a remote exploit. The combination of scope and potential impact here is unlike any previous component vulnerability I can readily recall.”
More information is available in this blog post from security company LunaSec.