How To Reduce The Risk Of The Log4j Vulnerability To Your Business

Log4j is a Java framework used by developers to log activity in their software applications. Instead of reinventing a logging component each time they build new software; developers can use existing open-source frameworks like Log4j to save time and effort. The tool is used by millions of developers worldwide; spanning businesses; governments and more.

What is the Log4j vulnerability?

On December 9; an acute remote code execution (RCE) vulnerability was reported in the Apache logging package Log4j 2 versions 2.14.1 and below. This meant that when the framework was used to log a line of malicious code; Log4j would actually execute the code.

Effectively; this left Java-based servers vulnerable to malicious users; potentially allowing attackers access to systems; with the ability to steal passwords and logins; obtain data; and infect networks with malicious software.

Who is impacted?

Log4j is widely used in application logging; with over 400;000 downloads on its GitHub project. Tech giants such as Google and Microsoft were initially affected; as well as everything from software sellers like Salesforce down to TVs connected to the internet.

Is the vulnerability being fixed?

Google reported that as of December 17; nearly 5;000 of the affected 35;863 artifacts had been fixed; stating: “an artifact affected by Log4j is considered fixed if it has updated to 2.16.0 or removed its dependency on Log4j altogether.” The blog also stated that this represented a mammoth response: "both by the Log4j maintainers and the wider community of open source consumers."

How can I mitigate the risk to my business?

As a first step; ensure that your in-house developers or third-party providers update any applications developed using Log4j to the latest version; which is currently Log4j 2.17.0.

To exploit this vulnerability; attackers have to deliver malicious code to a service running Log4j.

The Washington Post stated: “Phishing emails — those messages that try to trick you into clicking a link or opening an attachment — are one way to do so.”

In line with this; help your staff understand how to identify potentially malicious emails: avoid downloading attachments or clicking links from unknown sources; and check the email address each email has come from. You can read more about ways to keep business data safe in our blog post.