Get Started

Serious vulnerability: Log4J

  • 2 min read

Share this post

Log4J Logo
Log4J Logo

We sent the following notice to all Fractional CISO clients yesterday.

We are sending this notice to all Fractional CISO clients to inform them about an extremely critical zero-day vulnerability that requires immediate attention – right now, not on Monday. This vulnerability is pervasive, Internet-facing, and easily exploitable by anybody with limited hacking experience.

What’s happening:

A vulnerability was announced recently that affects the popular Java logging library “log4j”. This vulnerability is extremely serious because even trivial exploits can lead to complete compromise of the affected systems. 

Are you vulnerable? 

Assume you are vulnerable until you confirm you are not. Further, if you have a vulnerable system you may already be exploited. Specifically, anyone using Java server and java client applications with log4j from versions 2.0 (released in 2014) to 2.15 (released this week) is vulnerable. Log4j is used in almost all Java applications – if you create Java code or use Java applications, you are almost certainly vulnerable. 

What you need to do: 

Survey your environment for java applications, both code you create and 3rd party applications. 

Option 1: Upgrade log4j to version 2.15.0.

Option 2: If using log4j 2.10.0 to 2.14.1, configure log4j with “formatMsgNoLookups=true”.

Option 3: If using a version older than 2.10.0 and cannot upgrade, modify every logging pattern layout to say %m{nolookups} instead of %m in your logging config files.

More information: https://www.lunasec.io/docs/blog/log4j-zero-day/

How does the vulnerability work?

Log4j is used to configure logging in applications, such as webserver access logs, which often contain data submitted by the user browser, like a URL request or User-Agent HTTP header. The vulnerability relates to how log4j processes the user data that may contain “JNDI” variable references. Using these variable references, attackers are able to trick log4j into remote executing code on vulnerable systems. 

Going forward, it is going to be critical to block this traffic from java applications. Vendors are probably working on this tooling now – be on the lookout for messages and updates. 

More Information: https://www.pcmag.com/news/countless-serves-are-vulnerable-to-apache-log4j-zero-day-exploit

Picture of Ed Dante

Tales From The Click

Sign up for our monthly newsletter for business leaders on minimizing cybersecurity risk.

Suceed at SOC 2

Free eBook:
5 Things to Know for your First SOC 2

  • How to scope your SOC 2
  • Estimate the cost and length of your SOC 2
  • Prepare for your SOC 2
  • Manage the SOC 2 audit period
  • Leverage your SOC 2 for growth

Related Posts

Just Show Up

Rob Black

What to Know About Encryption Now, at the Dawn of the Quantum Era

RJ Russell

What Is ISO 27001? (And Why It Matters for Growing Companies)

Rob Black
Is your Cyber Insurance really going to cover you?

Only 1/3 of cyber insurance policies actually pay out in incidents. Most companies have cyber insurance policies that insure too little, or too much, and have absurdly low caps and silly exclusions.

To learn more about cyber insurance and determine if you have the right coverage for you, join us for a free vCISO Office Hours session on Tuesday, April 18 at 1 p.m. eastern time. Bring your questions!

New Release: Free SOC 2 eBook!

Getting ready for your first SOC 2? This eBook is full of actionable advice to help you prepare for and succeed in your first SOC 2 audit.

Learn:

  • How to scope your SOC 2 project
  • How to estimate the cost and length of your SOC 2 project
  • How to prepare for your SOC 2
  • How to succeed in your SOC 2 audit period
  • How to leverage your SOC 2 report to enable your business and sales
Is your Cyber Insurance really going to cover you?

Only 1/3 of cyber insurance policies actually pay out in incidents. Most companies have cyber insurance policies that insure too little, or too much, and have absurdly low caps and silly exclusions.

To learn more about cyber insurance and determine if you have the right coverage for you, join us for a free vCISO Office Hours session on Tuesday, April 18 at 1 p.m. eastern time. Bring your questions!

New Release: Free SOC 2 eBook!

Getting ready for your first SOC 2? This eBook is full of actionable advice to help you prepare for and succeed in your first SOC 2 audit.

Learn:

  • How to scope your SOC 2 project
  • How to estimate the cost and length of your SOC 2 project
  • How to prepare for your SOC 2
  • How to succeed in your SOC 2 audit period
  • How to leverage your SOC 2 report to enable your business and sales