The Log4j vulnerability: What is it, and should I be concerned?

Amongst the barrage of Omicron news, you might have read about a new cybersecurity vulnerability with the name Log4j, or Log4Shell. If you dug into this news, you might have learned that security experts such as Jen Easterly, the head of the U.S. Cybersecurity and Infrastructure Security Agency (CISA), were calling the vulnerability things like “one of the most serious I’ve seen in my entire career, if not the most serious.”

Yet, no gas pipelines have been been shut down and no water systems have been hacked. So, what is Log4j, and as a controls engineer, should I be concerned? There are many questions to answer.

Also read: Address the Log4j threat before it’s too late

What is Log4j?

Log4j is a widely used Java software library from the Apache Foundation. Its job is to collect and record events—a totally normal and indeed necessary task in any software system, especially a control system. And sensible developers the world over included Log4j in their software rather than recreating the wheel with a bespoke logging system.

What is the Log4j, or Log4Shell, vulnerability?

On December 10, the world learned that the Log4j software contained a very serious vulnerability with the identifier CVE-2021-44228. The vulnerability allows attackers to send malicious “messages” into a log server that could be used to execute commands on that server, steal data or even take control of the server (Figure 1).

The vulnerability was the result of overly provisioned features that were enabled by default, an insecure default configuration, and the implicit trust of messages on the network.

Is the Log4j vulnerability serious?

Yes, it is very serious. There are three reasons for this. First, the Log4j vulnerability is trivial for attackers to exploit and it gives them extraordinary capabilities. Second, the use of Log4j is incredibly widespread—software companies of all sizes have been including this vulnerable version since 2014 in software ranging from Minecraft game servers to backup-power-supply management systems. Finally, the equipment where Log4j is running is often given extensive administrative privileges to access other computers. Taking over a log server is equivalent to giving hackers the keys to the kingdom.

What will attackers do with the Log4j vulnerability?

The Log4j vulnerabilities offer such a powerful and purposeful exploit that we simply don’t know how attackers will use it. In the words of Eric Goldstein during CISA’s Briefing to Critical Infrastructure Partners: “This vulnerability could be used for an extraordinary broad range of attacks.”

Is the Log4j vulnerability actively being exploited by hackers?

Unfortunately, there are lots of active attacks occurring. Government security agencies such as CISA and private services such as Sophos and CloudFlare are all reporting active exploitation of the vulnerability. It is clear that both foreign adversaries and the ransomware community are attempting to identify vulnerable hosts on the Internet. Even the ransomware community is seeing this vulnerability as a golden opportunity.

If the Log4j vulnerability is being exploited right now, why aren’t we hearing about shutdowns and blackouts?

Right now the bad guys are simply using the vulnerability as a golden opportunity to get a foothold into critical systems around the world. They will steal data or launch attacks at their convenience later.

How worried should you be?

Unfortunately, you should be very worried as Log4j is widely used in industrial-control-system (ICS) software. Thanks to the Framework for Analysis and Coordinated Trust (FACT) platform, analysts have access to a database of about 45 million software packages and components used in the operational technology (OT) space. Ninety percent of the OT vendors have at least one affected product; some, such as Siemens, have hundreds.

What should control professionals be doing?

The first step is to determine if any software in your system contains Log4j. Mitigation is impossible when you don't even know if you've got the vulnerability. Unfortunately, most OT companies won’t know which products contain Log4j. And if they don’t know that the software they’ve deployed on the plant floor contains the Log4j software, then they won’t know to patch or block evil traffic until it is too late and they are compromised.

A good place to start is the joint cybersecurity advisory from CISA, the FBI, and NSA on Mitigating Log4Shell and Other Log4j-Related Vulnerabilities.