Small business guide to responding to Log4j / Log4Shell vulnerability

The security community exploded over the weekend on news of a devastating vulnerability in something called Log4j. Visiting a web page could be enough for an attacker to trigger the vulnerability and give them access to do any number of nasty things.

What is Log4j?

Log4j is a component included in applications written in the programming language Java. Applications use Log4j to log what’s happening and to understand when things are working or problems need fixing.

Log4j is available as open source software, making it free to use and common in a large number of applications, many of which your business may rely on.

What is Log4Shell?

It was recently discovered that a log entry on a system running Log4j would trigger a ‘feature’ that would allow anyone to run malicious code. As many applications send user inputs (e.g. usernames, search queries, browser configurations) to log entries, attackers figure out they could trigger Log4j to run their dodgy code by interacting with a site.

This attack, called Log4Shell, has attackers and security researchers across the globe, looking for vulnerable systems.

Do I need to care about Log4Shell?

Because Log4j is usually part of an application, it can be hard to figure out if your business is vulnerable to Log4Shell attacks. To figure out if Log4Shell is something you spend time looking into, ask yourself the following questions:

Are your systems remotely accessible?

If any of your systems can be accessed from the Internet, someone is already likely trying to compromise it using Log4Shell. Even if it’s behind a firewall, you should investigate things further as a priority.

Do you develop software in-house?

Any software you develop, or have had developed, using Java, may be vulnerable to Log4Shell. Even if your application isn’t written in Java, there’s a chance it relies on external components that are. Work with your team to investigate this as a priority.

Do you have any internal servers?

Your internal systems can be attacked using Log4Shell in some circumstances. While theres less urgency around protecting systems in your internal network, don't ignore them.

Do you have any systems managed on your behalf by third-parties?

Don't neglect systems your business relies on that someone else looks after. Work with your support partners to understand if Log4Shell is a problem for your business.

Do any of your desktop applications use Java?

A lot of desktop applications, particularly those that have been around for a while, use Java. While they are less likely to be attacked in the short term, don’t ignore them. It can be hard to know if your applications run on Java, so if you’re not sure, ask for help figuring this out.

What can I do to protect my small business from Log4j / Log4Shell?

It’s tempting to say “install the latest Log4j security updates”. For many businesses this may not be something you can immediately do yourself.

Before you go too far, create a list of systems that may need fixing. Start with anything remotely accessible and then work your way in. Look for applications that use Java in some way. There are tools out there that can help with this discovery work.

It is critical that you install security updates for these applications as soon as they become available. There are lists of software updates emerging online, but these will likely change so check for updates on a regular basis.

You may find applications you can't update without significant impact. There will be others that don’t have patches available yet as well. If this occurs, consider removing any remote access to them. If you can’t disconnect them from the Internet, look for ways to prevent these systems from connecting things online you don’t trust.

If you suspect your software uses Log4j, work with your developers to determine if a vulnerable version is present. Then work towards upgrading to the latest version as soon as possible. If upgrading isn’t an immediate option, look for places in your code where user input is logged and comment it out where possible.

As challenging as these steps may seem, they are only a starting point. If you’re unsure what needs fixing, or want like to avoid similar situations impacting your business in the future, sign-up as a Cynch Cyber Fitness member and we’ll help you every step of the way.