Understanding the vulnerability
On the morning of December 9, 2021, the security team at Alibaba Cloud published a vulnerability involving arbitrary code execution involving Log4j, a widely used Java-based logging framework, which allows threat actors to gain complete remote access to web servers and application logs. The vulnerability was dubbed Log4Shell.
The United States Cybersecurity and Infrastructure Security Agency also issued guidance about a vulnerability in Apache’s Log4j software on Monday, December 13, 2021. Subsequently, a second vulnerability was announced due to an incomplete patch. Apache Log4j is java software widely used by many companies for logging purposes. It is often included or bundled with third-party software packages.
First discovered on the 24th of November, the vulnerability was already being exploited with cybercriminals scouring the internet to gain access to affected systems. The exploit came at a strategic time when almost half the workforce is unavailable to man damage control operations on account of the holiday season.
Present and future considerations
The vulnerability does not directly affect the majority of end consumers owing to the diminishing popularity of Java in consumer programmes, however, the logging library remains in broad use among enterprises. Therefore, the zero-day vulnerability has prompted major corporations and government agencies throughout the world to identify affected systems, patch exploits and install updates to prevent data breaches.
Immediate impact
As security teams were scrambling to patch the bug, threat actors had already been working on extracting sensitive information and infiltrating systems. Attackers are spreading botnets such as Mirai and Kinsing to perform a variety of illegal activities ranging from remote cryptocurrency mining to DDoS attacks.
Long term impact
As the vulnerability and exploit vectors continue to evolve, the Log4j vulnerability is likely to stay for a long time. Like COVID-19, which keeps mutating and spreading rapidly despite widespread vaccination, the Log4Shell bug is being exploited despite patches being released. Moreover, the attack has the potential of disrupting information exchange and delivery across international tech giants as big as Microsoft and Apple.
The timing and scale of the vulnerability can potentially damage global supply chains similar to the Kaseya VSA ransomware attack witnessed earlier in 2021 but at a much wider scale.
The road ahead
Even though it seems like the bug has gone haywire, all hope is not gone. Apache Software Foundation, the developers of the Log4j framework, has already released patches and are constantly monitoring the situation spreading awareness and working with several cyber security teams globally to protect enterprise data. Companies worldwide are being recommended to check their systems for vulnerability and install updates on affected systems to mitigate damage.
Although a patch may seem like a silver bullet solution for the bug, that is not the case. Apache has already released two versions of the patch in less than a fortnight and more can be expected owing to the evolving nature of the threat.
BluSapphire sitrep
The security of both BluSapphire products and our customer’s safety is a top priority for us. In response to these vulnerabilities, BluSapphire has taken immediate action to proactively address any critical vulnerability affecting our products and solutions containing the Log4j software library.
Upon notification of the Log4j vulnerability report the BluSapphire Security Team initiated investigations in accordance with our incident response processes. BluSapphire followed the guidance issued to all Log4j customers in addition to following our internal processes for investigation, forensics analysis, and threat mitigation. BluSapphire will continue to remain vigilant regarding all aspects of this challenging and evolving situation.
At this time, there have been no compromises or successful exploits observed in BluSapphire products, solutions or in the BluSapphire environment. The majority of our products and solutions are not affected by the vulnerability as we do not use the vulnerable components of Log4J. However, to be extra safe, we have either upgraded the Log4J versions to 2.16 where possible OR disabled JNDI functionality and removed the relevant JMSAppender from our packages. This ensures that our packages are not affected by the disclosed vulnerabilities.
BluSapphire will continue to update this advisory as additional information becomes available and will provide answers to common questions below. This advisory should be considered the single source of current, up-to-date, authorized and accurate information from BluSapphire regarding fully supported products and versions.
Frequently Asked Questions
1. Are BluSapphire products affected by the Log4j vulnerability? Which Products were affected?
BluSapphire products do not use Log4j software and therefore are unaffected. However, they may be present in the installation packages as part of transitive dependencies. To avoid any future concerns these dependencies have been removed from the packages.
2. What remediation actions have been taken?
All BluSapphire products, software and infrastructure have been evaluated and countermeasures have been implemented for protection. Countermeasures are in the form of
- mitigation steps recommended by Apache Log4J
- removed vulnerable files from the jar packages
- upgrade to 2.16 where possible
3. Will this incident impact or interrupt the delivery of BluSapphire products and services?
At this time, we are not anticipating any service disruptions for any BluSapphire products or services.
4. What is the impact to BluSapphire’s business?
There is no impact to BluSapphire’s business at this time.
5. How does BluSapphire protect its environment from potentially affected software?
In response to this vulnerability, BluSapphire has followed the recommendations from Apache and the United States Cybersecurity and Infrastructure Agency. These actions also include patching and increased monitoring. Our security team works 24x7 to protect BluSapphire.
6. How are BluSapphire’s on-site deployments affected?
As noted before, BluSapphire’s products themselves do not use Log4J functionality and hence are not impacted. However, there may be transitive dependencies that may have inadvertently packaged Log4J unnecessarily. For these deployments we recommend reaching out to support@blusapphire.net for mitigation and/or upgrade options. These support calls will be free.