What Security Leaders Need to Know — and Do — About the Log4j Vulnerability

December 15, 2021

Contributor: Meghan Rimol

Understand the risks it poses and the steps to take to secure your enterprise systems against potential associated threats.

On December 9, the Apache Software Foundation released a security advisory addressing a remote code execution vulnerability (CVE-2021-44228) affecting its Log4j Java-based logging utility. MITRE rated the vulnerability as critical severity and assigned it a CVSS score of 10/10. Shortly thereafter, attackers in the wild began exploiting the Log4j vulnerability, prompting government cybersecurity institutions worldwide, including the United States Cybersecurity and Infrastructure Security Agency and Austria's CERT, to issue alerts urging organizations to patch their systems immediately. 

To better understand the security and enterprise impacts of the Log4j vulnerability, we spoke with Jonathan Care, Senior Director Analyst at Gartner, about the risks that this vulnerability poses for organizations and the steps that security leaders must take to secure their enterprise systems against potential associated threats.

Download now: The Top 3 Strategic Priorities for Security and Risk Management

How widespread is the Log4j vulnerability, and what kinds of systems are affected?

The Log4j vulnerability is extremely widespread and can affect enterprise applications, embedded systems and their sub-components. Java-based applications including Cisco Webex, Minecraft and FileZilla FTP are all examples of affected programs, but this is by no means an exhaustive list. The vulnerability even affects the Mars 2020 helicopter mission, Ingenuity, which makes use of Apache Log4j for event logging.

Learn more: What Is Cybersecurity?

The security community has created resources cataloging vulnerable systems. However, it’s important to note that these lists are constantly changing, so if a particular application or system is not included, don’t take it as assurance that it isn’t impacted. Exposure to this vulnerability is highly likely, and even if a particular tech stack does not use Java, security leaders should anticipate that key supplier systems — SaaS vendors, cloud hosting providers and web server providers — do.

Presuming the vulnerability is exploited, what threat does this pose to enterprise applications and systems?

If left unpatched, attackers could use this vulnerability to take over computer servers, applications and devices, and infiltrate enterprise networks. We are already seeing reports of malware, ransomware and other automated threats actively exploiting the vulnerability.

The attack barrier for this vulnerability is extremely low — all it requires is an attacker typing a simple string into a chat window. The exploit is “pre-authentication,” which means an attacker does not need to sign into a vulnerable system to overcome it. In other words, expect that your web server is vulnerable.

What steps should cybersecurity leaders take to protect their enterprises?

Cybersecurity leaders need to make identification and remediation of this vulnerability an absolute and immediate priority. Start with a detailed audit of every application, website and system within your domain of responsibility that is internet-connected or can be considered public-facing. This includes self-hosted installations of vendor products and cloud-based services. Pay particular attention to systems that contain sensitive operational data, such as customer details and access credentials.

Once this audit is complete, turn your attention to remote employees, and ensure that they update their personal devices and routers, which form a vital link in the security chain. This will likely require a proactive, involved approach, as it is not sufficient to simply issue a list of instructions, given vulnerable routers provide a potential entry point into key enterprise applications and data repositories. You’ll need the support and cooperation of the broader IT team.

Overall, this is the time to invoke formal severe incident response measures in line with organizational incident response plans. This incident merits involvement at all levels of the organization, including the CEO, CIO and board of directors. Ensure you’ve briefed senior leadership and that they are prepared to respond to questions publicly. This vulnerability and the attack patterns exploiting it are unlikely to subside for some time, so active vigilance will be important for at least the next 12 months.

Experience IT Security and Risk Management conferences

Join your peers for the unveiling of the latest insights at Gartner conferences.