How Risky Is the Log4J Vulnerability?

There is no doubt that the recently publicized vulnerability in Log4j is a serious one and security teams should be spending time assessing the organization's exposure. The vulnerability, CVE-2021-44228, was rated a 10.0 -- the highest possible score -- under the Common Vulnerability Scoring System (CVSS), which is used to assess the severity of a vulnerability so that security defenders can decide how to prioritize their response activities, taking into account the impact of the vulnerability and exploitability. But it doesn't really talk about risk.

For that, we can look at the Kenna Risk Score, which takes into account what is happening in real time, in the wild, for each vulnerability. The score provides an estimate of the likelihood of exploitation and makes it possible to order the probability the vulnerability would be exploited. The score gives defenders a starting point when trying to decide how risky the vulnerability is.

The Kenna Risk Score for CVE-2021-44228 is currently 87 of out 100, "an exceptionally rare score reflecting the severity and potential impact of this vulnerability," says Ed Bellis, CTO and co-founder at Kenna Security, now a part of Cisco. Kenna has scores for more than 165,000 CVEs, and only 0.4% of those vulnerabilities have earned a Kenna Risk Score of 87 or higher.

"Log4j is riskier than 99.6% of all known vulnerabilities," Bellis says.

The team has also been tracking likely successful exploitations from a combination of vulnerability scans and malware reversal using ReversingLabs and AlienVault Labs. While the volume of attempts is much higher, a lot of it is just "gray noise" because the scanning is being performed by both good and bad actors, Bellis says. Overall, the volume and velocity of potentially successful exploitations is low but increasing roughly fourfold every day, he says.