What is the Log4j vulnerability?
There's a new security hole that cybercriminals are exploiting called the Log4j vulnerability. Log4j is a library that is used by millions of Java applications, and has impacted major tech organizations like Apple, Twitter, Redis and Tesla. When this vulnerability is exploited, cybercriminals will have access to execute malicious code and wreak havoc in your network. You can dive into the technical details on the NIST site here: https://nvd.nist.gov/vuln/detail/CVE-2021-44228
Why is patching this vulnerability a problem?
The biggest challenge is finding Log4j because of the way Java packaging works. Most organizations have Log4j hiding in their application, and they're not even aware of it. In the Java world, dependencies are distributed as Java archive (JAR) files, which are packages that can be used as a Java library. While it seems simple enough to identify packages that have been affected, JAR files typically contain other JAR files to satisfy a dependency. This means that vulnerabilities can be hidden deep within an application, especially when a single dependency can require hundreds of other dependencies to work.
What should you do to protect your organization?
The Apache Foundation released an emergency update for a critical zero-day vulnerability in Log4j (aka Log4Shell, ID: CVE-2021-44228). If you are aware that your applications are vulnerable, then you should deploy this fix immediately. If you are not sure, then there are two open source tools led by Anchore that have the ability to scan a large number of packaged dependency formats, identify their existence, and report if they contain vulnerabilities. You should also test your applications with a Log4Shell vulnerability scanner, which can be used to determine if your applications are properly updated.
If you concerned that you are susceptible to the Log4j vulnerability, then reach out to Beringer Technology Group today, and we'll test your applications for this vulnerability. We can also help evaluate your current cybersecurity posture with our our Cyber Security Risk Assessment Solution, and implement the right security solutions for your organization.
Beringer Technology Group, a leading Microsoft Gold Certified Partner specializing in Microsoft Dynamics 365 and CRM for Distribution also provides expert Managed IT Services, Backup and Disaster Recovery, Cloud Based Computing, Email Security Implementation and Training, Unified Communication Solutions, and Cybersecurity Risk Assessment.