Scanning for the Log4J In Your Digital Vendors
Reports published on the 9th of December 2022 have it that information security researchers discovered a critical security vulnerability in the logging library log4j. The discovery turned the cybersecurity world into turmoil, indicating a supply chain vulnerability that compromised the world’s biggest applications, cloud services, and other software services.
So without further ado, let’s take a look at the log4j/log4shell vulnerability and how can we protect ourselves against it:
What is Log4j?
Log4j is a small yet widely popular open-source digital component used as a logging tool for many different digital services. Logging is the documentation of changes, a crucial step in the SDLC process. It enables programmers to see if any changes they made raise issues or errors.
Think about any IT system in your organization, ranging from billing to building management systems, even the ones that aren’t connected to the online network. The chances are that at least one of these systems includes at least one component that relies on log4j for logging. We’re talking about widely diverse systems, all of which depend on simple digital components.
There aren’t many (if any) software that doesn’t use open-source components. But, considering that the subject at hand is an open-source tool maintained by several individuals who do this in their spare time without any reward, and what do you get? XKCD illustrates it better than we do:
Read more on the effects of fourth-parties.
The Next Stage in the Evolution of Digital Supply Chain Attacks
The log4j vulnerability doesn’t only threaten an organization’s servers; it may exist in any one of the dozens of third parties and digital vendors used by any website and online service. It means that it’s not enough to search for the log4j vulnerability on your local servers. You have to check for it in every single one of the third and fourth parties connected to your website.
The discovery indicates the lethal potential of a digital supply chain attack. The fact that an open-source component like log4j is so popular and widespread is what makes this sort of attack so potent on the one hand yet simple to execute on the other. This also demonstrates the central problem with the open-source code model, which is the most popular programming method nowadays.
It isn’t the first or second-time threat actors that exploit a vulnerability in an organization’s digital supply chain to breach it. What is unique about this discovery is that it showcase the evolution of digital supply chain attacks as the growing scale of digital ecosystems also expands an organization’s attack surface.
Read more about a similar vulnerability found earlier this year in our article on the CDNjs RCE.
What can we do about it?
The discovery of the log4j vulnerability proves that even the smallest mistake made by your vendor’s vendor can expose your organization to severe cyber attacks. It means that your security measurements are only as strong as your weakest link in the supply chain.
The only thing we can do to mitigate this sort of vulnerability is to map your website’s digital components into an assets inventory. This enables you to detect vulnerabilities in either your local scripts or digital vendors in real-time to remediate your digital supply chain vulnerabilities before the damage is done.
For a free scan to find log4j vulnerabilities in your website or in any of it’s third and fourth party, click here.