Case Study: Log4J Vulnerabilities in 2021

For a really clear picture of how this process works and why it’s important to your company, there is no better case study than the Log4J vulnerabilities identified in late 2021.

A standard open-source logging library for the Java language, Log4J is the de facto logging choice for a huge number of applications around the world.

In late 2021, researchers identified a remote code execution vulnerability in the source code for this library. They filed a vulnerability disclosure to both the Apache Software Foundation and NIST, resulting in a worldwide response.

Within hours of the disclosure, people and bots were actively scanning any site on the internet. We saw significant scanning activity that started quickly and ramped up over days.

Due to the relative ease of the exploit and the difficulty in closing all permutations of the attack, there was no choice but to patch the software itself rather than try to fend off attacks at the perimeter.

As more became known about this vulnerability, it became clear that Log4J was embedded into a significant number of applications globally and a significant effort would be needed to keep these applications and their data safe. In the US, this effort was led by the Cybersecurity and Infrastructure Security Agency (CISA) and included the creation of a GitHub repository for the application development community to collaborate in and share recommendations for remediation, as well as confirm affected software and companies. Check out this timeline of events as documented during the first weeks of the issue for a clear understanding of how quickly things progressed from vulnerability to exploitation, and finally to remediation.

​important​ Some key points to take from this case study:

• Software we rely on to do mundane but essential tasks in our applications and software may have vulnerabilities that can be discovered at any time if a sufficiently motivated vulnerability researcher exists.

• These vulnerabilities not only affect the code we write, but also the applications we use to run our businesses—from our office suites to our accounting tools. The world runs on software, and our businesses are exposed to risk from every tool we use.

• Watching security news or other technology information sources is essential for leaders of growing companies and for the engineers and security specialists in the more established companies.

• These risks are not theoretical and, once identified, you need to have a plan of how to respond.

So, let’s spend some time looking at how exactly we can respond to an issue like this vulnerability, and what we can do to fix or adapt if we are affected.