← Back to Insights

What is LOG4J? Best Practices to Minimize Exposure

In December 2021, a major cybersecurity bug was detected in Log4j, a widely used piece of open-source logging software provided by a leading middleware provider (Apache Software Foundation). Although the security hole has been rapidly patched by most major companies, the vulnerability could persist for years as previously infiltrated computer networks are compromised.

Log4j software is used to log activities across applications and their associated computer networks. It’s one of the most widely used pieces of open-source software in existence today. Several patches were promptly made available to address the security hole. However, these patches are frequently not installed promptly, making the ongoing risks significant. It is widely recognized among the cybersecurity community that the Log4j vulnerability will continue to impact computer systems and networks for years to come.

The Log4j vulnerability is symptomatic of a much larger issue, which is software supply chain security. Too many companies do not fully appreciate the sheer magnitude of the dependencies associated with their software supply chain. Oftentimes, companies do not tightly control how and where these dependencies are being addressed. If your company is not proactively managing these dependencies, then your company is potentially vulnerable to a software supply chain attack. During software supply chain attacks, bad actors infect open-source code and shared libraries to target legitimate applications with infected shared code. Consequently, application providers, such as SolarWinds (used for IT monitoring) and Kayeya (used for IT management), have unintentionally spread their infected code to their customers.

To minimize the potential for supply chain security exposure, your company should adopt the following best practices, as outlined by Microsoft:

  • Maintain a highly secure build and update infrastructure
  • Immediately apply security patches for OS and software
  • Implement mandatory integrity controls to ensure only trusted tools run
  • Require multi-factor authentication for admins
  • Build secure software updaters as part of the software development lifecycle
  • Require SSL for update channels and implement certificate pinning
  • Sign everything, including configuration files, scripts, XML files, and packages
  • Check for digital signatures and don't let the software updater accept generic input and commands
  • Deploy strong code integrity policies to allow only authorized apps to run

For help in determining if your company is vulnerable to the Log4j vulnerability in particular and to obtain remediation guidance, your technical team should refer to this National Vulnerability Database entry for CVE-2021-44228.