Recent Java Log4j exploitation: what does this mean for your business?


December 14th, 2021 .
Authored by Hiscox Experts .
2 min read

On Thursday, December 9, 2021, a Zero-day exploit was made public in the popular Java logging library Log4j.  This is often used to create and store logging information from software, applications, hardware appliances etc. A Zero-day vulnerability is a flaw in security software that’s unknown to someone who’d want to mitigate it, like a developer. If a hacker becomes aware and is able to exploit it before it can be patched, it becomes a ‘Zero-day exploit’. This exploited vulnerability does now have a patch available, but there still exists a risk of further attacks off of any unpatched access.

Impacted versions of Log4j are 2.0 - 2.14.1, the vulnerability is fixed in version 2.17.

How big is the risk?

This is a particularly dangerous vulnerability because the exploitation can be conducted remotely, it requires no authentication, and it can give full access to the server/device being attacked. Furthermore, it is trivial to exploit (using only a single line of code), and proof of concept attacks are already being published online. Finally, the impact of further attacks could be great since this log library is widely used, and is found in a wide range of appliances, and software from various companies: Apache Struts and Tomcat, Solr, Linux distributions, Blackberry Symantec, Apple etc.

Who’s most affected?

Unfortunately, there is no specific type of business that is likely to be affected more than another and it’s difficult for an individual company to see if they’re vulnerable.  For example, while you might not have the vulnerability in your own version of the software you might be using, it is entirely possible that appliances you leverage (such as VPN devices, cloud providers etc.) may have the vulnerability.

As this is an Apache library, it’s more likely to be running on Linux servers; however, it’s a Java vulnerability and Java can run on multiple platforms. Therefore, Windows, Linux and Apple servers could all be vulnerable.

What should you do?

  • Confirm your IT/security team or vendor aware of the recent log4j vulnerability aka CVE-2021-44228 or log4shell.
  • Assess your exposure to it for internally developed applications.
  • Speak to your hardware/software/cloud vendors and assess whether their services are impacted.
  • Have a plan to deploy updates after assessing the above.
  • Ensure you’re monitoring and relevant employees are on high-alert for any attacks in the coming months that may occur if you were/are vulnerable.

Apache has published a security advisory here (external link) to address this vulnerability and have released a patch to fix it (2.17).

Further reading (please note these are external links and are not endorsed or vetted by Hiscox):

Disclaimer:
At Hiscox, we want to help your small business thrive. Our blog has many articles you may find relevant and useful as your business grows. But these articles aren’t professional advice. So, to find out more on a subject we cover here, please seek professional assistance.

Hiscox Experts

Hiscox insures over 400,000 UK businesses (based on the number of policies sold in 2021), has a Defaqto five-star rating and is the proud winner of the Feefo Platinum Service award (2020-2022), rated by real customers.