The Log4j vulnerability continues to present a major threat to enterprise organizations one year after the Apache Software Foundation disclosed it last November — even though the number of publicly disclosed attacks targeting the flaw itself has been less than many might have initially expected.
A high percentage of systems still remain unpatched against the flaw, and organizations face challenges in finding and remediating the issue and then preventing the flaw from being reintroduced into the environment, security researchers say.
"The fact that Log4j is used in [nearly] 64% of Java applications and only 50% of those have updated to a fully fixed version means attackers will continue to target it," says David Lindner, CISO at Contrast Security. "At least for now, attackers continue to have a field day in finding paths to exploit through Log4j."
Multiple Attacks But Fewer Than Expected
The Log4j flaw (CVE-2021-44228), commonly referred to as Log4Shell, exists in Log4j's Java Naming and Directory Interface (JNDI) function for data storage and retrieval. It gives remote attackers a trivially easy way to take control of vulnerable systems — a problem given that Log4J is used in virtually every Java application environment. Security researchers consider it as one of the most significant vulnerabilities in recent years because of its prevalence and the relative ease with which attackers can exploit it.
Over the past year, there have been numerous reports about threat actors targeting the flaw as a way to gain initial access into a target network. Many of these attacks have involved nation-state-backed advanced persistent threat (APT) groups from China, North Korea, Iran, and other countries. In November, for instance, the US Cybersecurity and Infrastructure Security Agency (CISA) warned about an Iran-government-backed APT group exploiting the Log4j vulnerability in an unpatched VMware Horizon server to deploy cryptomining software and credential harvesters on a federal network.
The warning was similar to one from Fortinet in March about Chinese threat actor Deep Panda using the identical vector to deploy a backdoor on target systems and another from Ahn Labs about North Korea's Lazarus Group distributing its own backdoor the same way. Others such as Microsoft have also reported observing state actors such as Iran's Phosphorous group and China's Hafnium threat actor using Log4 to drop reverse shells on infected systems.
Despite such reports — and several others about financially motivated cybercrime groups targeting Log4j — the actual number of publicly reported compromises involving Log4 has remained comparatively low, especially when compared to incidents involving Exchange Server vulnerabilities like ProxyLogon and ProxyShell. Bob Huber, chief security officer at Tenable, says the scale and scope of reported attacks have been surprisingly lower than expected, considering the simplicity of the vulnerability and the attack path. "Only recently have we seen some significant evidence of targeting, as noted by recent nation state activity from CISA," Huber says.
However, that does not mean the threat from Log4j has diminished over the past year, security researchers note.
For one thing, a large percentage of organizations remain as vulnerable to the threat as they were a year ago. An analysis of telemetry related to the bug that Tenable recently conducted showed 72% of organizations were vulnerable to Log4j, as of Oct. 1. Tenable found that 28% of organizations globally have fully remediated against the bug. But Tenable found that organizations which had remediated their systems often encountered Log4j again and again as they added new assets to their environments.
In many instances — 29%, in fact — servers, Web applications, containers, and other assets became vulnerable to Log4j soon after initial remediation.
"Assuming organizations build the fix into the left side of the equation — during the build pipeline for software — rates of reintroduction should diminish," Huber says. "Much of the rate of reintroduction and change depends greatly on an organization's software release cycle."
Also, despite almost ubiquitous awareness of the flaw within the cybersecurity community, vulnerable versions of Log4j remain vexingly hard to find at many organizations because of how applications use it. Some applications might use the open source logging component as a direct dependency in their applications, and in other instances an application might use Log4j as a transitive dependency — or a dependency of another dependency, says Brian Fox, CTO at Sonatype.
"Since transitive dependencies are introduced from your direct dependency choices, they may not always be known or directly visible to your developers," Fox says.
In many cases, when the Apache Foundation first disclosed Log4Shell, companies had to send out thousands of internal emails, collect results in spreadsheets, and recursively scan file systems, Fox says. "This cost companies valuable time and resources to patch the component and prolonged the magnitude of the vulnerability's malicious effect," he says.
Data from the Maven Central Java repository that Sonatype maintains shows that 35% of Log4 downloads currently continue to be of vulnerable versions of the software. "Many companies are still trying to build their software inventory before they can even begin a response and are unaware of the implications of transitive dependencies," Fox says.
Because of all of the issues, the US Department of Homeland Security review board earlier this year concluded that Log4 is an endemic security risk that organizations will need to contend with for years. Members of the board assessed that vulnerable instances of Log4j will remain in systems for many years to come and put organizations at risk of attack for the foreseeable future.
The One Positive Outcome
Security researchers tracking the bug say that the positive fallout from Log4j is the heightened attention it has drawn to practices such as software composition analysis and software bill of materials (SBOM). The challenges that organizations have faced just determining whether they are vulnerable or where the vulnerability might exist in their environment has fostered a better understanding of the need for visibility into all the components in their codebase — especially those from open source and third-party sources.
"The investigation into the Log4J issue has reaffirmed the need for better software supply chain attestation in addition to SBOMs that keep up with the speed of DevOps," says Matthew Rose, CISO at ReversingLabs. "Application security and architecture teams have realized that just looking for risk in parts of the application like source code, APIs, or open source packages is not enough. They now realize that a complete understanding of the application's architecture is just as important as finding SQLI or cross-site scripting bugs (XSS)," he says.