A large number of applications have been affected by a critical vulnerability in logging software Apache Log4j. These include applications from Apache itself, Amazon, VMware, Microsoft and Sonicwall. The National Cyber Security Center has now posted a list on Github with vulnerable Log4j applications. The NCSC has also published a list of steps to take. Crisis consultations have now also taken place with all important cybersecurity officers.
Serious vulnerability Log4j
On Friday morning, NCSC received reports of a serious vulnerability in Log4j. This java log tool is used by many applications and services. For example, it keeps track of which users have logged in.
The NCSC tries to get as broad a picture as possible of the potentially vulnerable software. The organization has now placed a list online on Github with vulnerable Log4j applications. The NCSC indicates that it is not possible for them to update security advice for all Log4j applications.
“A mention of an application on this list can therefore be seen as an update of the HIGH/HIGH-security advice (high risk of major damage)”, according to the NCSC. This list will be further expanded in the coming days. The NCSC has called on partners, companies and organizations to share additional information on Github.
The impact of the vulnerability of Log4j, which is now also known as LogJam and Log4Shell, is very serious. The Log software allows developers to log various information via their applications. The vulnerability can be exploited by malicious parties. They can execute codes remotely with the rights of the parent application. It is impossible to estimate what rights the parent application has because an attacker can inject and execute code remotely. The possible consequential damage is therefore difficult to estimate.
Massive scanning is already being done to servers that run Log4J. In addition, the vulnerability would also be actively exploited. Microsoft has already seen attackers exploit the vulnerability to install coin miners or gain further access to a target by installing Cobalt Strike malware. Cobalt Strike is a malware package that allows attackers to perform various further attacks. A coin miner uses the computing power of the server to mine cryptocurrency.
Steps to take
Apache has since released updates to fix the vulnerability. Organizations are advised to regularly check the list on Github and see if there are relevant updates for their organization. The NCSC recommends installing updates made available by Apache as soon as possible. She also recommends that organizations monitor software vendor pages in addition to the Github listing itself.
Not only the systems that have already been patched but also vulnerable systems must be checked for abuse. The advice of the NSCS is to look at abuse in the last year. The national cyber watchdog recommends enabling detection measures but emphasizes that enabling these measures is no guarantee that any form of abuse will be stopped.
The NCSC held a crisis meeting with all major cybersecurity officers on Sunday because of the global leak. They want to prevent a major vulnerability from triggering a new wave of ransomware. This is the first time the government has gathered all key cybersecurity officers to coordinate how to handle a security crisis.
The NCSC is closely monitoring the situation and will update the security advice when relevant information becomes available.
Catch up on more articles here
Follow us on Twitter here