Best Practices
Log4j Vulnerability Resources For Vendor Risk Management
Scoping Template
Shared Assessments has released a free Standardized Assessment Tool for the Log4j risk. With this scoping template, you will be able to conduct your own vulnerability assessment and share the form with your vendors for a holistic view of Log4j risk across your supply chain. Register to download in the form on the right.
What is Log4j?
Log4j (Log for Java) is a Java library from the Apache Software Foundation for logging error messages in applications using Apache software. Java is ubiquitous and Log4j is used across applications and systems with deep roots. The recently discovered vulnerability enables threat actors to bypass restrictions and gain access to any system remotely without using a password. In turn, this can provide a pathway to install malware, exfiltrate data or conduct other malicious activities.
What is Log4j 2?
Log4j 2 is the latest log application version from Apache. Log 4j 1.x is no longer supported, and users of Log4j 1 are recommended to upgrade to Apache Log4j 2. Log4j 1.x has not been supported since July of 2015. For complete text of the announcement made by the Logging Services Project Management Committee, please see the Apache Blog.
Log4j 2 patches and the latest versions across all are now available on the Apache Log4J site, and new updates are posted frequently.
What is Log4shell?
Log4Shell (CVE-2021-44228) was a zero-day vulnerability where servers are available for immediate remote code execution (RCE) takeover. This exploit was given a Common Vulnerability Scoring System (CVSS) severity rating of 10, the highest available score. The exploit is simple to execute and is estimated to affect hundreds of millions of devices, and over 90% of enterprise cloud environments. Log4Shell is an app-layer vulnerability that doesn’t require the attacker to have any privileged access and can’t be blocked at the perimeter. Therefore, Log4Shell can infiltrate internal servers directly by bypassing company defenses as legitimate application traffic.
How should 3rd Party Risk teams and practitioners assess Log4j exploit potential in their vendor ecosystem?
Share a notification to ALL your vendors announcing the vulnerability (even though it is well known), provide links to monitor the Apache site for Log4j 2 application updates, and require vendors to note which applications may be affected by this vulnerability.
Shared Assessments created a Log4j vulnerability assessment for your 3rd party, 4th party and Nth party providers (taken from the 2022 SIG Questionnaire) to assist the community in further vendor due diligence. Like past exploits and issues, Shared Assessments will continue to analyze and acquire a deeper understanding of the impact these may have on the community and our profession.
How should security, audit, and risk management teams handle their own internal IT Log4j vulnerability?
Ensure your internal IT organizations are familiar with the vulnerability and make an inventory of in-house applications that may potentially be affected. Also, be on the watch for connecting network and system traffic that displays irregular data extraction or movement from your networks and systems.
Is Log4j a widespread threat?
“A brief survey found that 52% of the risk management community say they are impacted by Log4j. However, risk analysts understand that the impact is much higher – experts are only at the early stages of assessing the actual impacts of the vulnerability”, said Ron Bradley, Vice President, Shared Assessments.
How long has the log4j RCE (remote code execution) vulnerability been open for hackers?
According to Checkpoint, the vulnerability was discovered on November 24th, and initially, the attacks were relatively small. Around December 9th, attacks exploiting this vulnerability have exploded – jumping into the millions – averaging around a hundred exploits per minute.
More Log4j Resources
Background on the Log4j vulnerability: what it does, how to treat it, and what it means to risk management. Read the post here.
Led by industry security professionals, our fireside chat features a discussion of the looming risk the Log4j you can assess your internal attack surface. The discussion answers the most pressing questions: “What is Log4j?” “What does it mean to me and my team?” “How should I bring this up to my Vendors?”, and most importantly, “What should we do next?” Watch the webinar.
More Information
For the latest log4j developments, please visit the Apache Log4j Security Vulnerabilities page.