On December 9, 2021, security researchers discovered a flaw (also referred to as a vulnerability) in the code of a software library used for logging security and performance information. The Apache software library, Log4j, was built on the widely used coding language, Java, which is used worldwide in applications and software in a variety of consumer and enterprise services, websites, and applications—as well as in operational technology products. As a result, the Log4j flaw is estimated to be present in over 100 million instances globally.
The flaw was rated as critical, 10 out of 10, in the federal agency NIST’s National Vulnerability Database because of Java’s widespread use and the potential impact if fully leveraged by attackers. The threat was described as a “zero-day” because there was no time for software developers to preemptively address the vulnerability. Researchers and software developers had zero days to implement a fix for the vulnerability before it may have been used in an attack.
Apache issued a fix on December 10. However, on Dec. 13, researchers discovered that the fix developed was incomplete and the vendor released a new fix. On December 17, new issues were discovered and Apache released yet another fix. As attackers continue to exploit Log4j in new ways and researchers address these incursions, this cycle will likely continue.
The federal Cybersecurity and Infrastructure Security Agency (CISA) and its partners, through the Joint Cyber Defense Collaborative, are responding to active, widespread exploitation of this vulnerability (CVE-2021-44228) in Apache’s Log4j software library.
On December 11, Jen Easterly, Director of CISA issued a statement on the log4j vulnerability which included the following information:
Failure to repay can also result in exclusion at the state and ultimately the federal level. If a state Medicaid plan notifies the OIG of an overpayment due and not timely addressed by a health care organization, that organization can find itself on the federal List of Excluded Individuals/Entities (LEIE). Under the Affordable Care Act section 6501, exclusion by one state Medicaid program requires reciprocal exclusion by all state Medicaid programs. Therefore, the downside of exclusion or overpayments disputes is considerable for any organization.
“CISA is working closely with our public and private sector partners to proactively address a critical vulnerability affecting products containing the log4j software library. This vulnerability, which is being widely exploited by a growing set of threat actors, presents an urgent challenge to network defenders given its broad use. End users will be reliant on their vendors, and the vendor community must immediately identify, mitigate, and patch the wide array of products using this software. Vendors should also be communicating with their customers to ensure end users know that their product contains this vulnerability and should prioritize software updates.
We are taking urgent action to drive mitigation of this vulnerability and detect any associated threat activity. We have added this vulnerability to our catalog of known exploited vulnerabilities, which compels federal civilian agencies — and signals to non-federal partners — to urgently patch or remediate this vulnerability. We are proactively reaching out to entities whose networks may be vulnerable and are leveraging our scanning and intrusion detection tools to help government and industry partners identify exposure to or exploitation of the vulnerability. To be clear, this vulnerability poses a severe risk. We will only minimize potential impacts through collaborative efforts between government and the private sector. We urge all organizations to join us in this essential effort and take action.”
In addition, the CISA has launched a webpage, Apache Log4j Vulnerability Guidance, which provides the public with the most current information available about this programming flaw, and guidance on how to mitigate risks associated with Log4j.
Steps to Protect Your Organization
CISA urges organizations to review and monitor the Apache Log4j Security Vulnerabilities webpage for updates and mitigation guidance. Due to the widespread use of Log4j and evidence that organizations with vulnerable versions of Log4j are being actively targeted, CISA is encouraging all organizations to mitigate risk as soon as possible.
In addition, CISA provided additional guidance to both software vendors whose products use Log4j as well as organizations that use these products. Given the severity of the vulnerabilities and the likelihood of an increase in exploitation by sophisticated cyber threat actors, CISA urges vendors and users to take the following actions.
- Immediately identify, mitigate, and update affected products using Log4j to the latest version.
- Inform your end users of products that contain these vulnerabilities and strongly urge them to prioritize software updates.
- Affected Organizations
- Identify all internet-facing assets that allow data inputs and use Log4j Java library anywhere.
- Identify all assets that use the Log4j library.
- Update or isolate affected assets and assume compromise. Hunt for signs for malicious activity.
- Monitor for odd traffic patterns.
- Review CISA’s GitHub repository for a list of affected vendor information and apply software updates as soon as they are available.
It is important to note that simply updating Log4j may not resolve issues if an organization is already compromised. In other words, updating to the newest version of any software will not remove accesses gained by adversaries or additional malicious capabilities dropped in victim environments.
Streamline Verify’s Response to the Log4j Vulnerability
CISA recommends that any organization that relies on outside providers for services that may use Log4j should work with those providers to ensure these third-party relationships do not open them up to undue risk. Streamline Verify has been contacted by clients inquiring about the impact of Log4j on its software application.
Streamline Verify takes all threats to data security very seriously. When a potential critical threat such as Log4j is identified, all steps are taken to investigate and fully mitigate any potential risk. Therefore, Streamline Verify immediately conducted a comprehensive audit of its systems to verify that our application is not at risk and concluded it is not impacted by the Log4j vulnerabilities. The audit proved that Streamline Verify’s tech stack does not use Java in any externally facing systems. Two internal tools are Java-based but neither use Log4j nor are they internet accessible.
Streamline Verify continuously monitors both industry and government issuances to assure that any potential vulnerability is reviewed for applicability and addressed immediately where necessary. We understand that a focus on data security is mission-critical both to protect client information and to develop cutting edge technology to meet the dynamic needs of those clients.