Apache Log4Shell: “greatest vulnerability seen in years”
Immediate steps for Legal and InfoSec teamsA critical vulnerability discovered on December 9, 2021 in the Log4j software developed by the Apache Software Foundation requires urgent attention. The Foundation has already developed and made a patch available (see below). This zero-day attack exploiting Log4j software versions 2.0 to 2.14.1 is being referred to as “Log4Shell.” Experts are calling Log4Shell the greatest security risk seen in years.
This article explains what legal and InfoSec teams need to know, government resources available and immediate steps to take.
What is Apache and does our business use it?
The Foundation, one of the leading open-source organizations, is run by volunteers. The Foundation is best known for its highly regarded web server software used widely across the Internet.
The Log4j software is a Java-based logging utility developed and distributed by the Foundation and used by application developers to log error messages. According to WordPress, the Log4j software runs on 67 percent of all web servers in the world.
Many companies are expected to be directly impacted by this vulnerability because they use Log4j software on their web servers, or indirectly impacted through key vendors or third-party web-service providers that use Log4j software.
The Foundation has made information and patches to Log4j software available at:
- https://logging.apache.org/log4j/2.x/security.html
- https://logging.apache.org/log4j/2.x/download.html
What is the Log4Shell vulnerability?
Log4Shell allows for arbitrary remote code execution on unpatched servers – essentially giving unfettered access to threat actors seeking to deploy malware or conduct other malicious activity. This exploit, tracked under the identifier CVE-2021-44228, scored a 10.0 "critical" rating on the Common Vulnerability Scoring System, which considers ease of exploitability, scope, and potential impact.
Experts have identified the following software as vulnerable to the exploit: Apache Struts, Apache Solr, Apache Druid, Apache Flink, ElasticSearch, Flume, Apache Dubbo, Logstash, Kafka, and Spring-Boot-starter-log4j2. Furthermore, massive scanning activity is being observed on the Internet by threat actors seeking to identify unpatched Apache webserver software.
Attacker groups exploiting this vulnerability are using cryptominers, ransomware, and cobalt strike activity. Given the systemic use of Log4j, most organizations are expected to be impacted.
DHS CISA provides Log4j Vulnerability Guidance; UK’s NCSC also active
DHS Cybersecurity & Infrastructure Security Agency (CISA) has released important information and resources related to the widespread exploitation of a critical remote code execution (RCE) vulnerability (CVE-2021-44228) in Apache’s Log4j software library, versions 2.0-beta9 to 2.14.1.
CISA urges all organizations to immediately upgrade to Log4j software to version 2.15.0. CISA is imploring the vendor community to immediately identify, mitigate and patch products containing the Log4j software library and to develop communications strategies with customers. DHS-CISA has requested that all suspicious activity related to Log4j software be reported to central@CISA.dhs.gov.
On December 13, CISA released a web page, Apache Log4j Vulnerability Guidance, and will actively maintain a community-sourced GitHub repository of publicly available information and vendor-supplied advisories regarding the Log4j vulnerability. CISA will continually update both the web page and the GitHub repository.
The UK’s National Cyber Security Centre (NCSC) also issued an alert on December 10 advising that organizations update Log4j as quickly as possible. For the latest NCSC updates, visit the reports and advisories page.
Immediate action items for Legal and InfoSec
Running an application containing Log4j software does not mean that your system has been infected with malware or accessed by threat actors. It does mean that a serious vulnerability and threat to your system will persist until the server is patched. Once patched, the business must investigate whether any malicious activity occurred before the patch.
Below are recommendations of actions to take in response to Log4Shell:
- InfoSec team to immediately update to the latest version of Apache Log4j software (version 2.15.0-rc2)
- InfoSec team to prioritize internet facing hosts, enable Web Application Firewalls, check for vulnerable versions, check logs for references in path or user-agent strings
- InfoSec team to keep list of actions taken in response to Log4Shell and conduct continuous monitoring and scanning
- Legal team to communicate with vendors and service providers to determine whether Log4j software is used in their products, whether Log4j software has been patched, whether Log4Shell has impacted their systems/services/products and if so, the status of remediation. Review vendor contracts for notice rights and indemnity obligations and take appropriate action to preserve contractual and other remedies
- Legal team to print a hard copy of the cyber insurance policy
- Legal and InfoSec teams to print hard copies of the incident response plans and playbooks and notify members of the incident response team to be on standby in the event they need to be activated
- InfoSec team to search for malicious activity between December 1, 2021 and when Log4j software is patched
- If InfoSec team detects unauthorized activity, activate IR plans and get legal involved to conduct privileged investigation
- Legal and InfoSec teams to stay current on Log4Shell threats.
How DLA Piper can help
DLA Piper's cybersecurity professionals can advise on how to identify/contain/remediate any malicious activity resulting from Log4Shell.
If you believe your system has been accessed by unauthorized parties, DLA Piper can help you coordinate a response to regain system control, identify the extent of any compromise, and mitigate resulting damages.
For more information, please contact the authors of this article or your DLA Piper relationship attorney.