There is a new critical vulnerability that impacts one of the most popular open-source Java logging libraries, Apache Log4j 2. The exploit has been identified as a remote code execution (RCE) vulnerability in Apache Log4j 2 referred to as “Log4Shell”. The logging library is used by countless apps and companies around the world, including large enterprise organizations.

The vulnerability permits unauthenticated RCE, where an attacker can execute any code on a remote machine over LAN, WAN, or internet. The code is triggered when a string is provided by the attacker through a variety of different input vectors and is then processed by the Log4j 2 vulnerable element. 

The Common Vulnerabilities and Exposures (CVE) system has identified the vulnerability as CVE-2021-44228 and the NIST National Vulnerability Database (NVD) have assigned it a CVSS Score of 10.0 – Critical.

The U.S. Cybersecurity & Infrastructure Security Agency (CISA) released an advisory on the vulnerability and has added the Apache Log4j 2 Remote Code Execution Vulnerability to their Known Exploited Vulnerabilities Catalog.

Who is affected by the vulnerability?

Systems and services that use the Java logging library, Apache Log4j 2 between versions 2.0-beta9 and 2.14.1, are all affected. Log4j 2 is built into popular frameworks, including Apache Struts2 and others. With its widespread adoption, many third-party apps are likely vulnerable, revealing a vast attack surface.   

The Apache Foundation has released Log4j 2 Version 2.15.0 to address the vulnerability. Users and administrators are prompted to review the Apache Log4j 2 2.15.0 Announcement and upgrade to Log4j 2 version 2.15.0 or greater, or apply the recommended mitigations immediately. 

CISA recommends asset owners take three additional, immediate steps regarding this vulnerability: 

• Enumerate any external facing devices that have Log4j 2 installed.  
• Make sure that your security operations center is actioning every single alert on the devices that fall into the category above.  
• Install a web application firewall (WAF) with rules that automatically update so that your SOC is able to concentrate on fewer alerts.

Are You a OneTrust Customer? Read our Vulnerability Notice on myOneTrust to learn more and stay up to date.

Work with your third parties to identify impact

The potential breadth of impact the Apache Log4j 2 vulnerability has on any software or application using Java and Apache frameworks requires that organizations conduct a timely vendor risk assessments of their third parties. 

Bulk assess your vendors

Launch our new Vendorpedia Log4j 2 questionnaire across your whole vendor inventory as soon as possible. Below is a list of questions to ask vendors about the effects of the Log4j 2 vulnerability:

1. Do you utilize the Apache logging utility Log4j in any of your environments including enterprise and customer? 
2. Have you performed a full inventory for all uses of Log4j within your environments? 
3. Has a security incident been identified as a result of this Log4j vulnerability within your environments? 
4. What additional actions have you taken to manage the issue since Cybersecurity and Infrastructure Security Agency” (CISA) advisory for Log4j was published? 
5. Have you followed Apache’s guidelines for assessing and remediating this vulnerability? 
6. Are there vulnerable versions of Log4j still being utilized within your environments? 
7. Have you reviewed network logs to detect attempts to exploit the vulnerability on your systems? 
8. Are you verifying vendor use of Apache tool Log4j and any plans they have to mitigate the impact? 
9. Have you reviewed public Log4j2 Indicators of Compromise (IoCs) to assure your network is secure? 
10. Have you communicated with your vendors or customers your response to the vulnerability? 
11. To which teams have you communicated your current and planned remediation actions?
12. What is the expected timeline for Log4j remediation?

Determine your in-scope vendors

Based off the assessment results, your team can identify in-scope vendors that are impacted by the vulnerability and the risks their impacts pose on your organization. Once identified, you can determine the appropriate remediation steps to take.

Track vulnerability remediations

Once remediation steps are identified and initiated, you’ll be able to designate a remediation timeline and track execution moving forward and ensure that your vendors are following the right steps. 

How can OneTrust help with TPRM and business resiliency?

The  OneTrust platform leverages expertise in GRC, specializing in Vendor Risk Management, Privacy, Incident  Management and many other categories to deliver an immersive security and privacy management experience. The Vendorpedia™ Third-Party Risk Exchange offers intelligence and automation to solve these challenges and provide value throughout the vendor relationship, from faster onboarding, real-time monitoring, and unprecedented vendor resilience visibility. We enable you to gain visibility into all aspects of your organization’s security structure and empower a  holistic security strategy by enabling your company to consider risk across all domains and regulatory expectations. This allows for seamless incident management and the ability to prioritize trust and transparency as a competitive advantage.   

Are You a OneTrust Customer? Read our Vulnerability Notice on myOneTrust to learn more and stay up to date.

Follow OneTrust on LinkedIn, Twitter, or YouTube for the latest on digital transformation.