Log4J Reunion Tour 2022

The Complete Log4J Vulnerability Retrospective 2022

_The unofficial, unauthorized retrospective, 9 months later._

Picture this: a vulnerability so pervasive that it shakes the very foundations of open-source software reliance. That’s exactly what happened with the Log4j vulnerability. It wasn’t just another bug in the system; it was a loud, blaring siren for everyone using open-source software.

If it was not clear before, after Log4j, it certainly is now! Everybody uses open-source software in their applications. There are no exceptions, and as a result, we are all at risk of being breached by vulnerabilities in open-source software. The Log4J bug wasn’t just a wake-up call; it was a full-blown alarm.

A Global Ripple Effect: The Apache Log4j Crisis

The Apache Log4j vulnerability was one of the most significant breaches in recent history. Its impact was felt worldwide, and the repercussions are still being felt today.

In this live event, Lunasec founder and CEO Free Wortley, AppSec Expert Jim Manico, and vulnerability scanning implementor (and Apache committer) Julius Musseau come together to discuss the 2021 Log4J debacle.

It’s been nine months since the Log4j vulnerability was disclosed! Aside from Minecraft, have any serious breaches dropped in the last 9 months? Or did everyone fix it in time? And what was so special about this bug?

To understand the issue and prepare for the future, we need to analyze the root causes of the breach and come up with a set of recommendations that can help prevent similar issues.

  • What did library developers learn from the incident?
  • What have common app developers learned?
  • How should the software industry prepare for future incidents of this scale?

 

Learn from the past and prepare for the future.

Deep Dive into the Log4j Vulnerability

Log4J Timeline

Let’s take a stroll down memory lane and see how Log4j evolved:

  • 1999 – Log4J 1.x is born
  • 2014 –  Log4J 2.x is born (includes: JNDILookup.class)
  • 2015 – General purpose JNDI exploit technique demonstrated at BlackHat
  • 2021 – November 24th – Vulnerability shared (privately) with Apache
  • 2021 –  December 4th –  An interesting commit lands
  • 2021 –  December 9th – First Annual Log4J Global Day of Celebration
  • 2021 – December 10th – Version 2.15.0 Published

Understanding the Log4J Vulnerability

The Log4J vulnerability is a critical security flaw in the Apache Log4j library, widely used in Java applications. This vulnerability allows attackers to execute arbitrary code remotely, posing a severe risk to affected systems.

MergeBase’s Log4J Detector

With Mergebase’s Log4J Detector tool, you can accurately find the log4j vulnerabilities in any cloud system, web applications, situation, and context.

The process involves scanning Java libraries on a system and injecting instrumentation that allows for detailed monitoring and, crucially, the ability to block harmful functions at a granular level. By applying MergeBase’s Dynamic Application Surveillance and Hardening, users can disable specific functions known to be vulnerable, such as those in the Log4J library, without needing extensive developer knowledge.

The MergeBase dashboard provides a comprehensive view of the application components, highlighting detected vulnerabilities and allowing users to set block or monitor actions on suspicious methods.

CSRB’s Report

A new report from the Cybersecurity and Infrastructure Security Agency’s (CISA) Cybersecurity and Infrastructure Resilience Bureau (CSRB) addresses the continued risk posed by vulnerabilities discovered in late 2021 in the widely used Log4j open-source software library, one of the most serious vulnerabilities discovered in recent years.

“Our nation’s cybersecurity depends on the security of the software we all use every day” said Tonya Ugoretz, Director of the CSRB.

The report contains 19 recommendations for government and industry, focusing on driving better security in software products and enhancing public and private sector organizations’ ability to respond to severe vulnerabilities. The goal is to identify and share lessons learned to enable advances in national cybersecurity.

Some of the strategic recommendations are:

  • Addressing Log4j Risks: Ongoing vigilance and best practices are essential in managing the risks associated with Log4j.
  • Promoting Security Hygiene: The report emphasizes the need for robust security practices across the board.
  • Building a Better Software Ecosystem: A call to action for enhancing the security framework within which software is developed and maintained.
  • Future Investments: The necessity for strategic investments in cybersecurity to fortify digital infrastructure.

This report serves as a roadmap for enhancing our cyber resilience and safeguarding organizations.

Advice for Library Developers

  • Be more careful when preparing the fix. 
  • GitHub has the capability to make the pull requests and the issues private even though you’re running on a public repo.
  • Security audit code audit needs to be happening regularly with libraries that are used everywhere.

Advice for Library Consumers (a.k.a. Software engineers)

  • Know the libraries that you have (SBOM)
  • Keep your libraries updated and patched.
  • Keep tabs on your SCA tool – for example: How quickly was your team able to become aware of the path and how quickly they are able to apply the patch?

Advice for CISO’S & Executives

  • Don’t let your developers pick any third-party library enrolled in production; you need a stronger vetting process and understand the business risk of choosing a third party.
  • Running an SCA tool, like MergeBase, several times a day.
  • Have the willingness to update your libraries. Suggestion: keep all your libraries updated but keep one month behind an update unless you need to be at the bleeding edge because there’s a security vulnerability. Otherwise, keep a month behind the top level and then update it to avoid supply chain issues.

Ready to start to mitigate risks?

The Log4j incident isn’t just a chapter in a cybersecurity textbook; it’s a lesson for all of us in the software world. It’s about staying alert, being prepared, and always being ready to adapt.

Whether you’re a developer, a library consumer, or a CISO, the Log4j incident has shown that the right tools and strategies are crucial for safeguarding your software supply chain.

Take control of your software’s security and stay a step ahead of potential threats. Experience the power of proactive protection with MergeBase.


Oscar van der Meer

About the Author

Oscar van der Meer

Inspiring leadership and innovative technology expertise in Digital, Payments, Finance and Artificial Intelligence.