With the whole world losing their marbles over the Apache Log4Shell vulnerability (and rightfully so), many companies are left wondering, “How does this affect me?” If you have not yet read one of the hundreds of articles floating around on the interwebs regarding this topic, let this be one that helps answer that question--especially if you’re a third-party provider.
First, let’s understand what happened. CVE-2021-44228, aka Log4Shell, has been described by the National Institute of Standards and Technology (NIST) as deserialization of untrusted data, uncontrolled resource consumption, and improper input validation. What this means is an attacker can use Remote Code Execution (RCE) to engage with software that uses the Java logging library Log4j versions 2.0 and 2.14.1 without authentication.
Once this vulnerability is exploited, attackers can execute arbitrary code to install backdoors and establish persistence in one’s environment to hopefully come back later and inject malware using email or log-ins. Researchers are already calling this threat “wormable” - referring to its ability to multiply and spread quickly - and anticipate the exploit to last for months or even years, gradually tapering off over time as companies make remediation efforts.
Patching and mitigation diligence (e.g. tightening up access management, hardening LDAP servers, and blocking malicious IPs at the firewall) are the only solutions. This vulnerability poses a high risk to all sectors, whether government, business, or private home users.
If you are a third-party vendor (and as businesses, we all are), clearly this should be a concern. Not only is your business reliant upon your relationships with your customers and partners, but they have to trust that you are doing your part to shore up your network, patch, and harden so they remain safe from you.
With over 200 companies worldwide having already been affected by this exploit, including giants like Amazon, Cisco, and IBM, the chances of this hitting close to home are plenty.
CyberGRX has already uploaded a LogJam threat profile in our mapping database so our third parties can use it to discover if their existing controls are sufficient to keep this threat at bay, or whether some remediation is needed.
By utilizing this tool, you are showing your customers that this concern is a priority for you and your continued business partnership with them. As ubiquitous as Log4Shell is, staying on top of the game is imperative.
A simple way to help yourself stay current on cyber events, necessary patches, and remediation techniques on emerging critical vulnerabilities is to sign up for email notifications from organizations like Multi-State Information Sharing and Analysis Center (MS-ISAC) from The Center for Internet Security (CIS), United States Computer Emergency Readiness Team (US-CERT) from the Cybersecurity & Infrastructure Security Agency (CISA), and Infragard from the Federal Bureau of Investigation (FBI). All of these agencies send out alerts that provide an overview of the exploit, threat intelligence, systems affected, risk impact to your organization, technical summary, recommendations, and references. Expect as time goes on and more is learned about this vulnerability that new information will be released, and it is up to you to stay on top of it.
CyberGRX customers and third parties now have access to the LogJam Threat Profile, available in the Framework Mapper tool. This profile allows a company to pull a report for individual third parties to view their coverage of controls that have specifically been identified as being critical to preventing, detecting, or responding to the Log4j vulnerability. In line with our other threat profiles (CodeCov, Accellion, SolarGate, etc.), this new threat profile provides a view of how the third-party rates against each identified control. Companies can filter by those controls that are missing/absent and follow up with the third party to request remediation.