How to prevent and detect Log4j vulnerabilities

The Apache Log4j vulnerability has attracted a lot of media attention as a result of recent security incidents that were reported by some organizations using versions 2.0-beta9 through 2.14.1. This security flaw has the potential to affect thousands of applications since some of the world’s largest databases rely on Log4j.

Because so many organizations are affected, cybercriminals are actively exploiting this well-known vulnerability.

Why is this so dangerous? In addition to the threat of malware and ransomware, hackers can also perform remote code execution due to the Log4j vulnerability. For those who have not applied patches to their Log4j-dependent third-party solutions, hackers can easily use this vulnerability to exploit applications and to take control of servers and other devices on corporate networks.

As headlines in recent weeks have shown, it’s reasonable to assume that large organizations could have hundreds of vulnerable applications running across thousands of devices company-wide.

What is Apache Log4j vulnerability?

The Apache Log4j library is extremely popular. Almost all JAVA-based enterprise software depends on it. Consequently, Log4j is the de facto standard JAVA logging API that developers use to enrich their server applications with logging capabilities.

One reason that an organization might use Log4j is to help troubleshoot potential security incidents. For example, if someone attempted to log in using incorrect credentials, Log4j could record information about the event. In other words, Log4j holds sensitive information that malicious attackers can easily exploit.

The Log4j vulnerability CVE-2021-44228 impacts Log4j 2 versions from 2.0-beta9 to 2.14.1. Apache announced a series of somewhat related vulnerabilities: CVE-2021-45046, which can lead to DDOS attacks, and CVE-2021-45105, an infinite recursion bug.

The Apache Software Foundation has already released versions 2.15.0, 2.16.0, and 2.17.0 to patch the vulnerability. If you’re running one of the affected Log4j versions, it’s crucial that you patch your system immediately.

Since Log4j vulnerabilities affect the core function of the program, there are many ways that cybercriminals can exploit them.

On vulnerable systems, attackers not only have access to all data, they can also run any code they want. All capabilites that a comprised machine has can then be exploited by the attacker. This opens the door for malicious code injections, ransomware attacks, and DDOS attacks.

The impact of Log4j vulnerabilities

Researchers have observed attempted exploits of Log4j vulnerabilities on over 44% of corporate networks across the globe. But the bad news doesn’t stop there.

While most attackers taking advantage of the current Apache vulnerabilities seem to be solo operators, there is increasing evidence that sophisticated hackers are working quietly to follow through with large-scale attacks. Cybercriminals will not execute these attacks until months or even years from now after they have gained a thorough understanding of your security ecosystem.

First, attackers create a foothold within a network where they quietly spy on business activities, security protocols, and even high-level users. Then, after finding the most effective way to exploit an organization, they develop a plan and execute their devastating attack.

Cyberattacks can mean catastrophe for unsuspecting companies. In addition to data loss, disruptions can damage their reputation and have other costly effects. For example, IT downtime costs $5,600 per minute for most companies.

As far as cybersecurity trends are concerned, data breaches are increasing in popularity, scope, and cost. With 2021 surpassing 2020’s unprecedented number of data breaches, researchers expect 2022 to bring even more cyberattacks.

How to prevent and detect Log4j vulnerabilities

Although the impacts of Log4j vulnerabilities are far-reaching, there are steps you can take to prevent and detect Log4j vulnerabilities on your network. Don’t let rising ransomware statistics fool you - data breaches are not inevitable. Research shows that 97% of cyberattacks could be prevented by having the right tools and protocols in place.

Here are five things that you can do to prevent and detect Log4j vulnerabilities:

Upgrade and patch your systems

First and foremost, if your organization has deployed any of the affected versions of Apache, it’s crucial to upgrade your software to the latest version.

Apache recommends that Java 6 users upgrade to Log4j 2.3.2 and Java 7 users upgrade to 2.12.4. Java 8 and later users should upgrade to 2.17.1. They also recommend that you confirm that the JDBC Appender is only configured to use Java protocols.

Design a secure network ecosystem

Next, protect your network from future attacks and from dormant attackers who are lying in wait on the network for the best moment to attack. Many large organizations have in-house developers who design cybersecurity ecosystems for their networks.

If your organization lacks in-house support, you can expect to pay at least $60 an hour for a freelance developer who can create firewall rules to protect your servers and implement the following prevention tips as well.

Audit security events

New cybersecurity standards require that organizations maintain accurate logs to help maintain security and for investigating incidents. Collecting detailed information about security-related events makes it easier to identify an attack and improve cybersecurity policies over time.

Many operating systems already have a native auditing system in place that just needs to be configured and enabled. Store security audit logs in a safe place, like a remote system or a cloud-based service, so they can be referenced for future investigations and audits, and remain hidden from prying eyes.

Implement continuous vulnerability monitoring

Continuous monitoring provides a 24/7 view into your network operations, so that the IT team is notified as soon as a vulnerability or potential threat is detected. Most continuous monitoring software allows your teams to determine rules, frequency, and other parameters to tailor the tool to your security needs.

Continuous vulnerability monitoring allows your cybersecurity team to focus on the most dangerous threats before following up with additional flags. It’s easier for criminals to slide into your network unnoticed as they become savvier, but continuous monitoring helps eliminate even the most insidious of threats.

Centralize log data

Log aggregation is a process to standardize and consolidate log data from systems distributed across your network into one central server. Instead of wasting time manually collecting hundreds of log files from individual hosts, log aggregation collects all log sources it receives over the network, in real time, from various hosts, and merges them into streams, ususally by log source type. These streams are then forwarded to a SIEM or log analytics system, that ingests them and analyzes them in record time.

Centralized log data makes it easier to pinpoint security incidents so that teams can deploy the right solutions before it’s too late. Log aggregation also gives companies a more streamlined way to work with large amounts of data, so that it can more easily filter and search for specfic, high-quality security events. Automated detection tools are other helpful security features that are often part of log aggregation.

Final thoughts

Remember that mitigating security vulnerabilities is an ongoing project that never sleeps. Make sure that you have the correct tools in place to ensure your organization will be able to patch vulnerabilities, perform audits, aggregate logs, and monitor your network for unauthorized activity.

Disclaimer

While we endeavor to keep the information in this topic up to date and correct, NXLog makes no representations or warranties of any kind, express or implied about the completeness, accuracy, reliability, suitability, or availability of the content represented here.

Last revision: 10 February 2022

GET STARTED TODAY:

NXLog Ltd. develops multi-platform log collection tools that support many different log sources, formats, transports, and integrations. The tools help administrators collect, parse, and forward logs so they can more easily respond to security issues, investigate operational problems, and analyze event data. NXLog distributes the free and open source NXLog Community Edition and offers additional features and support with the NXLog Enterprise Edition.

This document is provided for informational purposes only and is subject to change without notice. Trademarks are the properties of their respective owners.

Download a fully functional trial of the Enterprise Edition for free