In December 2021, a major cybersecurity bug was detected in Log4j, a widely used piece of open-source logging software provided by a leading middleware provider (Apache Software Foundation). Although the security hole has been rapidly patched by most major companies, the vulnerability could persist for years as previously infiltrated computer networks are compromised.
Log4j software is used to log activities across applications and their associated computer networks. It’s one of the most widely used pieces of open-source software in existence today. Several patches were promptly made available to address the security hole. However, these patches are frequently not installed promptly, making the ongoing risks significant. It is widely recognized among the cybersecurity community that the Log4j vulnerability will continue to impact computer systems and networks for years to come.
The Log4j vulnerability is symptomatic of a much larger issue, which is software supply chain security. Too many companies do not fully appreciate the sheer magnitude of the dependencies associated with their software supply chain. Oftentimes, companies do not tightly control how and where these dependencies are being addressed. If your company is not proactively managing these dependencies, then your company is potentially vulnerable to a software supply chain attack. During software supply chain attacks, bad actors infect open-source code and shared libraries to target legitimate applications with infected shared code. Consequently, application providers, such as SolarWinds (used for IT monitoring) and Kayeya (used for IT management), have unintentionally spread their infected code to their customers.
To minimize the potential for supply chain security exposure, your company should adopt the following best practices, as outlined by Microsoft:
For help in determining if your company is vulnerable to the Log4j vulnerability in particular and to obtain remediation guidance, your technical team should refer to this National Vulnerability Database entry for CVE-2021-44228.