- The Apache Log4j vulnerability has likely impacted hundreds of millions of devices and can be exploited by a wide range of threat actors, Jen Easterly, Cybersecurity and Infrastructure Security Agency director, and other agency officials told state and local officials, and critical infrastructure providers.
- The Log4j vulnerability is among the most serious cybersecurity risks since WannaCry, security analysts and industry researchers said. The vulnerability has serious implications for enterprise security and threat actors are actively launching botnet and cryptomining attacks. Ransomware attacks are expected to follow, industry researchers said.
- Mandiant, an incident response specialist, is seeing Chinese government threat actors use the Log4j vulnerability already, Charles Carmakal, SVP and CTO, said through a Mandiant spokesperson via email. Mandiant officials did not provide details of the attack or any other evidence, however they did confirm that federal officials are aware of the alleged activities.
The Log4j vulnerability is extremely widespread and could potentially impact everything from applications and embedded systems to complex enterprise applications and their subcomponents, according to Jonathan Care, Gartner senior research director. As a sign of how far the impact has reached, there are concerns that the vulnerability may potentially impact the Ingenuity helicopter currently exploring the planet Mars, he said.
Check Point Software is reporting more than 800,000 attempts to launch attacks 72 hours after initial reports of the vulnerability went public on Friday Dec. 9. The figures are based on sensor data collected by Check Point.
The frequency of attacks has jumped exponentially since the initial attacks, which measured about 40,000 on Saturday, Dec. 11, Check Point found.
Cybersecurity and software development leaders need to make "identification and remediation of this vulnerability an absolute and immediate priority," Care said via email. Exposure to Log4j is extremely likely and even if a system doesn't use Java, organizations should anticipate that key supplier systems, like SaaS vendors, cloud hosting providers or web server providers, do use Java.
"Log4j is a library that is built into the logging functionality of a very large portion of the internet," said Nicholas Luedtke, principal analyst at Mandiant. "It is embedded/used by a ton of software that runs websites, clouds, security services, games, etc."
Since logs are important for security, debugging and audit trails, Luedke said it's important for some part of user controlled data to go into log files.
"Enterprise clients are scrambling to address this vulnerability," said Allie Mellen, analyst, security and risk at Forrester. "They are looking for the most up-to-date information on how to patch this vulnerability on their own systems, which of their vendors are affected and what is the timeline from these vendors for patching."
CISA officials urged companies to take three urgent steps:
- Enumerate external facing devices that have Log4j
- Ensure security operations centers are actioning alerts on these devices
- Install a web application firewall using rules that automatically update so SOC teams don't have to focus on constant alerts.
CISA will also be updating a webpage with guidance on the vulnerability.
Amid the widespread response, vendors are actively investigating their applications for potential impact from the Log4j vulnerability.
"As with many software companies across the industry, VMware is working diligently on publishing fixes and workarounds for the Apache Log4j vulnerability, CVE 2021-44228," according to a statement from the company. "A VMware Security Advisory has been published, and customers should continue to visit the advisory for updates on impacted products, fixes and workarounds."
Cisco too is investigating which of its products may be affected by Log4j, a spokesman said via email. "Cisco is committed to transparency. When security issues arise, we handle them openly and as a matter of top priority, so our customers understand the issue and how to address it."
Cisco published a security advisory with regular updates and is also updating a security response page.
Microsoft is also analyzing its applications for impact from the Log4j vulnerability.