There is a new code concern that has emerged in the MSP world, and it has many software vendors and IT service providers scrambling.
A vulnerability in Log4j, a piece of open-source code available from Apache Software Foundation that can be found in software used by some of the world’s most prominent companies including technology vendors and managed service providers (MSPs), was exposed late last week.
Log4j is a widely used Java library for logging error messages in applications. The vulnerability, known as CVE-2021-44228 and originally reported in a blog post by the video game Minecraft, allows hackers to communicate with Log4j remotely via the internet.
The implications for MSPs and software vendors are severe, as it puts basically any device that is exposed to the internet and runs Apache Log4j, versions 2.0 to 2.14.1 at risk.
CloudBlue is not impacted by Log4j
CloudBlue is not affected by the Log4j vulnerability. Although the CloudBlue platform does employ Log4j 1.x in its aps-tools package – which is a part of the Branding-UI component – this version does not fall into the affected versions of the code.
The CloudBlue platform also uses WildFly and ElasticSearch. While these software do contain a Log4j package, both are not vulnerable and statements from those vendors have been released confirming this:
CloudBlue’s security team has also completed a full review of the situation and have confirmed that there is no impact.
Additionally, a recent report from Black Knight Solutions, a web hosting service, found CloudBlue and Ingram Micro to be “not vulnerable” to the bug. For details we’ve published this knowledge base article.
We at CloudBlue know that it’s paramount for MSPs to be aware of the circumstances and risks involved with Log4j in order to employ proactive measures to protect against any current and future exploitation. Below you’ll find more information about the Log4j vulnerability, how it’s impacting MSPs and how IT service providers can take precautions.
What is Log4j?
CVE-2021-44228 is a code vulnerability in Apache Log4j, versions 2.0 to 2.14.1 that allows hackers to remotely execute code on a target computer, allowing them to conduct acts such as stealing data, installing malware or taking complete control of a system. The cybercrimes seen thus far have ranged from hacking in and stealing cryptocurrency, all the way to large-scale attacks on internet infrastructure. State-sponsored actors are also reported to be exploiting the bug.
Internet-facing systems as well as backend systems could contain the code vulnerability. Cybersecurity experts are especially concerned about hackers taking advantage of the bug to install ransomware, which can shut down systems until victims pay a fee to have them released again.
According to reports, Log4j has been downloaded millions of times and is among one of the most widely used tools to collect information across corporate computer networks, websites and applications.
Because the code has such a broad scope, the vulnerability may impact a very wide range of software vendors and services providers. Experts in security have said that there are hundreds of thousands of attempts being made currently by hackers to find vulnerable devices, with over 40% of corporate networks being targeted.
What should companies do?
If your organization runs the affected versions of Log4j, there are some key steps you can take.
Businesses should fortify back-end defenses by applying the patches provided by software vendors that employ the affected versions as quickly as possible. Vendors and service providers should also set up alerts for probes or attacks.
The Apache Software Foundation itself has released multiple updates in recent days and it is advised to upgrade to the latest version of the Log4j tool in order to patch any vulnerabilities.
Experts are also recommending that companies limit unnecessary outbound internet traffic, which could serve some value in protecting vulnerable systems.
Staying on top of status updates and associated technology vendor guidance will help to avoid potential supply chain attacks related to the bug. According to Apache, there is also a workaround to mitigate this vulnerability, and organizations who feel they have been exposed should leave no effort unattended.
Companies around the globe are also stepping up in a concerted effort to confront the Log4j vulnerability. The Netherlands’ National Cyber Security Centrum (NCSC) has posted a comprehensive list on GitHub of all affected products that are either susceptible, not susceptible, are under investigation or where a fix might be available. Meanwhile, Microsoft has created a series of steps to diminish the risk of exploitation. Also useful, Huntress has created a tool to help IT departments test whether their applications are vulnerable.
Finally, as many companies navigate this latest cybersecurity threat, it is paramount to have regular communication with customers and issue guidance as it becomes available.
CloudBlue is monitoring the situation
The worldwide Log4j software cleanup could take months, and according to some experts even years, because thousands of third-party software products run the code and have been affected.
While companies employ measures to mitigate and remedy the risk, it is wise for businesses to taper down on outbound internet use in the near term. This will lower the probability of susceptibility—as with less exposure, comes less risk.
Although CloudBlue has been found to be secure against Log4j, we will be keeping an eye on the situation to ensure our customers are updated with the latest developments.
If you have any questions regarding the Log4j vulnerability, we invite you to contact together@cloudblue.com.