LOG4J Security Alert
Last Friday, we were first informed about a security flaw within log4j, a java-based application logging tool used in perhaps 10,000+ applications. The scope of the problem could be significant, and the situation is national news right now.
Here’s what you need to know:
- Log4j includes a capability to embed commands that will target outside systems. In other words, a hacker can embed a command deep inside the bowels of a Java application that can give the hacker access to the user’s computer.
- Unlike complex computer viruses with famous names like “MyDoom” and “WannaCry,” this hack only requires relatively simple code placed into Log4j correctly. The information that bad actors need to exploit Log4j is already widely shared.
- A bad actor still needs to go find Log4j inside an application but they are out hunting for this right now and they might get there faster than the good guys who are also looking for Log4j inside their apps.
At this point in time we, and the entire security community, are currently working on analyzing and attempting to identify solutions that are leveraging this library in order to mitigate the threat. This is NOT a simple patch-and-done type situation.
In order to effectively mitigate this vulnerability, application vendors and software developers must patch log4j within their applications and then release those patches to their customers.
While we wait for software updates, EO is monitoring our systems and our client systems for indicators of compromise and tracking trends and new information as it becomes available. We have no way of 100% identifying what solutions utilize log4j, but we are doing our best to identify what we can and reach out to those vendors regarding a solution.
We are all over this situation and will do all we can to protect our clients. For those of you with IT backgrounds and a desire to follow along as this situation evolves, we recommend two websites provided here with links to the specific page for this situation:
- CVE: CVE is sponsored by the U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA).
- NIST: National Vulnerability Database
As always, we are here 24/7 to answer your questions. If you are a client, you know where to find us. If you are a reader of EO Advisor and want to talk about this, please reach out.