Log4j Vulnerability Impact Grows
Log4j is a very popular server logging package used across the Internet on Linux servers and other devices. This package is used not only in corporate software development environments, but also by very well known companies like Apple. It is also used in IoT devices and other appliances.
DHS’s CISA has created a web page with guidance, here and has also put out an alert, here.
Unfortunately, due to the current state of the software industry, users will have difficulty knowing whether any software that they are running or that they are using that is running in the cloud is impacted.
If vendors were required to provide a software “bill of materials”, something which is being mandated for software used by the federal government as a result of the President’s Cybersecurity EO, then consumers like you and me would have a chance at knowing what software is impacted.
For those with a strong IT department, some vendors have released detection tools for businesses to figure out if they are running software that is vulnerable. (for example, here is Datto’s announcement, but you have to be running their management software).
CISA created a “must patch” list for executive branch agencies a month or two ago. This list includes bugs that agencies must patch and this bug was added to the list, along with 12 others.
SC Magazine says that the cleanup from this will take months, at least. Some companies will not be responsible and will not spend the time to clean up their part of the mess (i.e., patch their vulnerable software). If they don’t tell us that their software is vulnerable – and legally they are not required to – then we will continue to use it, not understanding that our systems and our data is at risk.
If this bug is exploited, and it can be exploited remotely, all data on the impacted system is at risk!
It is also important to understand that hackers, who are ALREADY exploiting this bug, will add back doors into infected systems so that even after the bug is patched, the hackers will remain inside many networks, lurking undetected.
There are many cases of hackers remaining inside corporate networks, undetected, for years.
Given that there are 3 billion or so devices running Java, some percentage of those need to log and this is the go to package. Many of those devices will never be patched and always be a hole into your network.
Among vendors that we think are impacted are Amazon’s AWS, Broadcom, Cisco, Connectwise, Fortinet, HCL, IBM, N-Able, Okta, VMWare and likely hundreds of others. Not all products from these vendors are affected.
Businesses need to hold their vendors accountable. Unless you are a big company with clout you probably can’t force your vendors to be accountable, but if you don’t ask, you certainly won’t get information.
Also, all users need to stay current on all patches. Hopefully, most vendors will be responsible and release patches. This is one place that small companies get to benefit from large businesses ability to beat up the same vendors that you use.
Users get to be vigilant. Probably vendors will be releasing patches over the next few months. This one will not be over soon. Vendors may release alerts and workarounds.
If you are running any old, unsupported software, you are basically on your own. Not only will you not get any patches, you probably won’t even know that you are running affected software.
Also remember that if your vendor gets hacked as a result of this bug, you are both responsible and likely legally liable. Just saying.
If you have questions, please contact us.