News of a major exploit using the Log4j vulnerability four months after its disclosure has been a painful reminder that the issue is still a serious problem. Reports are now linking China’s APT41 hacking group with breaching at least 6 U.S. state government networks and the situation may go from bad to worse. As reported by Venturebeat:
"… in all likelihood, the full extent of the damage will still be unknown for some time. For instance, attackers may be waiting for an opportune time to use the access they gained through breaching systems using Log4Shell.”
As Sonatype CTO Brian Fox explained,
"These events track with the typical time lapse we’ve seen with zero-day vulnerabilities like Log4Shell. The Equifax breach, which was similar in nature, took around five months to clear the airwaves from the initial exploit. So, from a historical perspective this isn’t surprising: a high-spread, low-complexity vulnerability equals a 100 percent chance of being used."
There are other published examples of successful Log4j exploits, including Fintech ransomware, the Belgium defense ministry, and a Dridex banking trojan. However, no issue so far has risen to this level of potential harm.
How did we get here?
It was only a day after the initial announcement that the CVE-2021-44228 exploit was published. Federal employees were asked to work over the holiday to help resolve issues that could affect infrastructure and national security. In January, U.S. officials were warning about long term fallout from Log4j and the FTC issued a warning to companies who did not remediate this issue.
The Biden White House even addressed issues for both public and private entities.
Log4j event timeline
With all the press and attention given, there remained hope there wouldn’t be a significant intrusion, but the ease of attack and widespread use of the open source component made that seem unlikely.
Definitely not over
Advice from Brian Fox:
"The reason this is still a problem is that so many companies have not covered the basics, and simply don’t understand what’s in their software. Our data shows that nearly 40% of Log4Shell downloads are still of vulnerable versions. Meaning there’s a high chance that other state and national governments — not just in the U.S. — will be breached in the coming months by bad actors.”
"What I advise now is what I’ve advocated for a long time: urge your software vendors to create and continuously update a software bill of materials and invest in a tool that includes Software Composition Analysis (SCA). To be really responsive, you need a tool that's telling you about a new vulnerability along with all the places that are affected. SCA tools provide insights about the components in a project and determines the potential risk.
These tools should be automated to monitor components across the entire Software Development Lifecycle.”
Development teams who aren’t Sonatype customers can access a free software bill of materials creation tool and a free vulnerability scanner. This lets you scan and explore software components, as well as issues around security and licenses.
Governments in particular should begin or continue to pursue Zero Trust models with goals and strategies to protect government and infrastructure.
Maven Central users should visit the dedicated help site.
Open source software community can access our free tools
All of this can help you avoid headaches, FTC lawsuits, customer data loss, and bad publicity.
Visit our Log4j Resource Center.
Watch Sonatype’s Log4j discussion with our experts in an "ask me anything”-style live panel.