
What the Log4j Vulnerability Means for SMB Professionals
December 21, 2021
A major security flaw in an application used by programmers to record activities for applications and software in devices and various services is making the headlines. National cybersecurity agencies and experts are calling for urgent action after it was reported last week.
Log4j is a component of software that developers use to record activities in an application. It is used in millions of Java applications and when located by hackers it can be exploited with relative ease. Hence, it has received a very high threat rating.
The growing concern is over the scope of impact as millions of applications use Log4j, especially some of the largest providers of services and products. While most companies have raced to identify and patch affected systems and applications as urgently as possible, this remains an ongoing threat as updates are made and tested.
What is the issue?
Companies such as Apple, IBM, Microsoft, Oracle, Cisco, Google, and Amazon all run applications and make products that use Log4j. It could be present in popular apps and websites. As well, hundreds of millions of Internet-connected devices around the world that access these services and products could also have the vulnerability.
If a cyber criminal can successfully exploit Log4j, they have free reign to install software or perform other tasks without restriction. Reports indicate that attackers have already used the vulnerability to install software to mine cryptocurrencies, install ransomware, covertly record keyboard entries (key logging), and steal user credentials or other data.
What does it mean for me?
Since the vulnerability largely affects applications and devices, especially some of the largest cloud service providers, most people will be affected indirectly as users of these products and platforms. Small businesses may be directly affected if they run software or have a website that uses Log4j in its software code.
This vulnerability is relatively easy to exploit for hackers, but it is also relatively easy to fix at the source once it’s found. The problem is that it is such a severe and widespread issue, because of how pervasively the Log4j tool is used in applications, that it’s not a matter of issuing one software update like some other major vulnerabilities. It is going to require time and effort to ensure that every instance of this flawed code is patched in every application that uses it.
What should I do?
Since this is an exploit that concerns applications, platforms, and devices, you may want to check with the provider who hosts your website or any other application or service you own or use that are critical to your business. Consider places and applications where you store important data or do transactions that involve confidential or personally identifiable information (PII). Ensure the vendor or developer is aware of the issue and has taken action to remediate any weaknesses.
While the Log4j logging tool can be used by many different types of applications and software in devices, the most prevalent and serious threat as this time is to servers and server applications.
Developers using Log4j should ensure that they are incorporating the latest version of Log4j into their applications as soon as possible to protect users and organizations. Users should be on the look-out for communications from service providers with updates about this issue and how it relates to them. Organizations should contact application vendors or service providers to ensure that their Java applications are running the latest version.
For the time being, there isn’t much more for the average user to do because the responsibility is on developers and vendors to patch their software and issue updates. However, people should pay close attention to this vulnerability and its potential to trigger high-impact attacks against a wide variety of apps and services.
Sources:
Apache Log4j Vulnerability Guidance - Cybersecurity & Infrastructure Security Agency
CVE-2021-44228 Deteil - NIST National Vulnerability Database
The Log4j security flaw could impact the entire internet. Here's what you should know - CNN
Zero-day in ubiquitous Log4j tool poses a grave threat to the Internet - Ars Technica
NPC Files.