Log4Shell is a security vulnerability that allows hackers to take control of machines remotely, to steal data, or to paralyze a site or an application.
With a level of danger rated 10/10 by a benchmark organization that lists computer vulnerabilities, it is already considered one of the most significant events in modern computing.
So, the challenge is simple to state, but very difficult to meet: how to stop the bleeding – how to protect from an attack?
Better understanding the Log4Shell vulnerability
Log4Shell designates a security vulnerability that affects Log4j, an open-source library distributed by the Apache Foundation. Programmed in Java, this library is found in many software programs and servers. Its function is to record activities and errors of an application for subsequent improvement.
Here, three important pieces of information should be detailed:
- Java is one of the most widely used technologies, executed by 97% of corporations and 3 billion mobile phones.
- A library represents pieces of code that only need to be called to perform an action. It lets developers save time and focus on higher value tasks.
- Open-source projects are often more secure because the source code is accessible to the public, who can inspect it and raise vulnerabilities.
It was Alibaba Cloud Security Team member Chen Zhaojun who discovered that Log4j could be used to execute code remotely and without authentication, and alerted the Apache Foundation.
… to better understand the extent of the damage
First disclosed on December 9, 2021, the numbers for the Log4Shell security flaw are already staggering:
- At least 44% of global systems have suffered an attempted attack, according to Check Point Software.
- Over 1,000 attack attempts per second have been recorded by Cloudflare.
- Several hundred million systems are exposed, according to the Cybersecurity and Infrastructure Security Agency.
In addition, Github has drawn up a list of the software affected by the Log4j critical vulnerability.
Among the companies and programs at risk are Minecraft, Google, Amazon, Twitter, Apple, Tesla, Steam, Twitter, Redis, Elasticsearch, and, of course, Apache.
All without forgetting the organizations, the administrations, and the solutions of certain software publishers.
How can Log4Shell shake up businesses?
The Log4Shell security vulnerability is of unprecedented magnitude, both in terms of its strength and its intensity.
Strength first. Remote code execution allows hackers to:
- Steal data to sell it later
- Install malware
- Control or block access in order to demand a ransom
- Spy on other devices
- Take control of the computer network
Next – intensity. Thanks to the popularity and proven reliability of the Java programming language, Log4j is present on an incalculable number of machines and servers. It is no longer a question of weeks, but of years before CIOs can inspect all infrastructure and services and correct the flaws.
Short-term solutions to protect your business from a Log4Shell attack
In the short term, companies can already take steps to protect their IT systems:
- Use the latest version of Log4j.
- Make an inventory of affected services.
- Use patches to cover the fault lines.
- Follow trusted recommendations, such as those from CISA (Cybersecurity and Infrastructure Agency) in the US.
- Stay current with updates from the Apache Foundation.
- Install a firewall web application.
Users for their part can:
- Update vulnerable software
- Perform up-to-date backups for storage offline
- Check that corrective measures have been applied by service providers
Long-term solutions: Security by Design and Pen Tests
In order to continue their activities in all circumstances, companies need to exercise constant vigilance and anticipate possible attack scenarios.
In this regard, two security practices stand out:
- Security by Design: The teams dedicated to security and development work together right from the product design phase. The goal: to develop and strengthen integrity and inviolability at each stage of the life cycle, facilitating maintenance to reduce costs.
- Pen Tests: Pen tests mimic the attack methods and techniques used by hackers, to identify security breaches in a computer system or software and correct them before they are exploited.
If you want to strengthen the security of your computer system and remove any doubts about its vulnerability, book a meeting with a Pentalog Consultant.