Log4j Vulnerability Sweeps the Globe

Written by: Brock Wolf, Esq.

Earlier this month, on December 9, 2021, a critical vulnerability was discovered in the Apache Software Foundation’s  (“Apache”) Log4j code, potentially providing threat actors with access to millions of computers and devices worldwide.

On December 10, the director of cybersecurity at the National Security Agency (NSA) and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (“CISA”) warned the public of the vulnerability.

1. What is Log4j?

Log4j is a Java library used for logging errors and events in Java-based applications. Software developers around the globe have relied on Log4j, an open-source solution, rather than developing custom solutions.

Log4j is so widely used that CISA estimates that hundreds of millions of devices around the world are susceptible to the vulnerability. Vulnerable devices include any devices connected to the internet that utilize the Log4j library. Such devices may include cloud services, servers and even network printers or cameras.

2. What has been the impact of the vulnerability?

Threat actors have been moving quickly to exploit the vulnerability. Security firm, Check Point, reported on Monday, December 20, that it has observed attempted exploits of the Log4j vulnerability on more than 48% of global corporate networks.

The vulnerability extends far beyond the private sector. Belgium’s Ministry of Defense confirmed an attack on its computer system using the Log4j vulnerability. Stateside, CISA has issued an emergency directive ordering federal agencies to immediately patch their systems against the Log4j vulnerability or remove impacted software from the network.

As we move into the new year, exploitation of the vulnerability by threat actors is only expected to grow.

3. How should businesses proceed?

Companies need to act quickly in assessing whether they, or any of their service providers, use Log4j. Apache has released software patches that address the vulnerability, and companies should ensure that their systems and devices using Log4j implement the latest patches. As this situation develops, companies should continually conduct security reviews to determine if they have been affected.

CISA has published vulnerability guidance and is maintaining a community-sourced GitHub repository that lists available information about affected software. Companies should monitor this guidance and repository to check the status of software they use.

If a company finds it has been comprised due to the Log4j vulnerability, it should submit a complaint to the FBI’s Internet Crime Complaint Center (“IC3”)