Log4j vulnerability (noun) [Word Notes]

Dave

You're listening to the Cyberwire Network, powered by N2K. Hey everybody, Dave here. Join me and my guests Outpost 24's Laura Enriquez and Michaelo Steppa on Tuesday, May 13th at noon Eastern time for a live discussion on the biggest threats hitting web applications today and what you can do about them. We're going to talk about why attackers still love Web apps in 2025, the latest threat trends shaping the security landscape, how to spot and prioritize critical vulnerabilities fast, along with scalable practical steps to strengthen your defenses. Again, the webinar is Tuesday, May 13th for our live conversation on the state of modern Web application security. You can register now by visiting events.thecyberwire.com that's events.thecyberwire.Com we'll see you there. Hey everybody, Dave here. I've talked about Deleteme before and I'm still using it because it still works. It's been a few months now and I'm just as impressed today as I was when I signed up. Delete Me keeps finding and removing my personal information from data broker sites and they keep me updated with detailed reports so I know exactly what's been taken down. I'm genuinely relieved. Knowing my privacy isn't something I have to worry about every day. The DeleteMe team handles everything. It's the set it and forget it peace of mind. And it's not just for individuals. Deleteme also offers solutions for businesses, helping companies protect their employees personal information and reduce exposure to social engineering and phishing threats. And right now, our listeners get a special deal 20% off your DeleteMe plan. Just go to JoinDeleteMe.com N2K and use promo code N2K at checkout. That's JoinDeleteMe.com N2k code N2K.

Rick Howard

The word is log4J vulnerability spelled L for ledger, O for Observation, G for Gigantic, 4 for the number 4 and J for Java, an open source Java based software tool available from the Apache Software foundation designed to log, security and performance information. Example sentence log 4J is code written in the Java computer language and created by volunteers within the Apache Software foundation to run across a handful of operating systems, Apple's Mac os, Windows and Linux. Origin and context the Apache Software foundation released the general availability of the log 4J module version 1 in July of 2014. The next year the Apache Logging Services Project management committee announced log 4J2 as a replacement. Fast forward to 24 November 2021. Six years later, Alibaba's cloud security teams. Chen Xiaojin disclosed to the Apache Software Foundation a vulnerability in the module. On 9 December, Apache announced exploitation in the wild of the log 4J vulnerability and named it log4shell. By the next day, 10 December NIST classified the vulnerability as a critical issue in its national vulnerability database. The reason for the severity is the ubiquity of the log 4J code module and the simplicity of the log 4 shell exploitation code. Its ubiquity stems from the fact that the code from the Apache Open Source Cross Platform Web Server is the most popular web server software on the planet. If you're running web services somewhere, there's a good chance that you're running Apache. The simplicity results because any unauthenticated user of the log4j service can send a 12 character code segment and take control of the server. Yikes. Log4shell leverages the third highest software vulnerability type from the OWASP top 10, a reference document describing the most critical security concerns for web applications, in this case injection. In other words, the unpatched log 4J module doesn't isolate its code from its data. It interprets log messages data as instructions code. When hackers send a URL to the module, the service grabs the URL, fetches the data located there, and runs the executable payload with the full privileges of the log4j main program. According to Microsoft's John Douglas, as of 4 November 2021, the percentage of public software repositories that use open source software is north of 80%. He says that what that means is that thousands of strangers can effectively contribute directly to your production code. Your product through your software supply chain is affected by unpatched vulnerabilities, innocent mistakes and and even malicious attacks against dependencies. End quote. Most security professionals have no idea what code libraries our organizations are using directly, and absolutely no clue about what code libraries the original open source developers nested within. One temporary mitigation measure is egress filtering, blocking log 4J traffic from exiting the network until you can install a more permanent fix. The more permanent fix is to upgrade the bad software module with a patch or replace it with something else when log 4J type problems emerge, though, 80% of the mitigation work is just finding all the running instances. One solution to that problem is the incorporation of a software bill of Materials, or SBoM, a formal record containing the details and supply chain relationships of various components used in building software. The concept has been bouncing around the industry for at least a decade, but has gained little traction until now. With the 2021 supply chain attacks against SolarWinds, Accelion and others, there seems to be movement to make S BOMs a best practice. US President Biden's 2021 executive order on Cybersecurity mandates that all federal civilian executive branch agencies and key players will deploy a minimum S bomb program by the spring of 2022. For the rest of us, the concept is most likely at least five years away from reality. Today, discovery of these kinds of injection vulnerabilities and other OWASP categories come from independent researchers like Chen Xiaojin and from software scanning tools in the software composition analysis space. It's worth noting here that the log 4J module is over 7 years old and neither group found this problem until now. It's also worth noting that the log 4J module vulnerability is probably just the tip of the iceberg. With 80% of public software repositories containing open source software, you know, white hat, black hat and gray hat researchers will be rigorously mining that ground to find more problems in the near future. Nerd reference on 20 December 2021, just before the holiday break, Eamon Javers from CNBC interviewed Jen Easterly, the US Cybersecurity and Infrastructure Security Director, about the impact of log 4J.

Dave

So the log 4J vulnerability became public just about a week ago. What do you guys know now that we didn't know last week?

Jen Easterly

Yeah, so first off, I should say that the log 4J vulnerability is the most serious vulnerability that I have seen in my decades long career. Yeah, and three reasons why Ubiquity, simplicity and complexity. So it is a piece of software, open source, that's in millions of devices from video games to hospital equipment to industrial control systems to cloud services. It is trivial to exploit as a vulnerability. Essentially 12 characters and a remote unauthenticated attacker can take over a system, can use it for stealing data, can use it for ransomware attacks, all manner of malicious activity and and it takes a very focused effort to be able to find and to fix the vulnerability because it's open source, so it is an all manner of vendor products.

Rick Howard

Wordnotes is written by Nyla Genoe, executive produced by Peter Kilpe and edited by John Petrick and me, Rick Howard. The mix, sound, design and original music have all been crafted by the ridiculously talented Elliot Peltzman. Thanks for listening.

Dave

What's the common denominator in security incidents? Escalations and lateral movement. When a privileged account is compromised, attackers can seize control of critical assets with bad directory hygiene and years of technical debt. Identity attack paths are easy targets for threat actors to exploit, but hard for defenders to detect. This poses risk in active directory, Entra, ID and hybrid configurations. Identity leaders are reducing such risks with attack path management. You can learn how attack path management is connecting identity and security teams while reducing risk with Bloodhound Enterprise powered by Spectrops. Head to Spectorops IO today to learn more. Spectrops see your attack paths the way adversaries do.