Minimizing the Impact of Log4j and Other Java Vulnerabilities
By Stanislav Chernenko - January 20, 2022
Recently, a serious vulnerability was discovered in Log4j, a popular Java logging package.
The vulnerability has affected companies around the world, and early estimates show that at least 90% of the 3 billion devices using Java will be affected.
What is Log4j?
Log4j is an open-source software used to record routine system operations and keep track of activities. Such logging is a fundamental software function, and Log4j is used in everything from games like Minecraft to cloud services like AWS.
A massive amount of the computer code that powers every facet of our lives is built on Java, and in addition to being used by cloud storage providers, software giants, and app builders, it’s used on almost every device that connects to the internet, like TVs and smart appliances.
Usage and Mitigation
Unfortunately, Log4j usage is vastly underestimated. Because it’s often tied to other software, many companies don’t even know they’re using it, which makes mitigation problematic.
Identifying it requires a full inventory of all software, and once it’s uncovered, system admins must take steps to fix it. The fix will depend on how Log4j is being used and can include:
- A full system update
- A software version update
- A manual removal of any affected code
The full extent of the damage is still being uncovered, and it will likely be months or years before we get a complete picture of the impact. Experts say that the sheer number of devices and websites exposed make this the largest software vulnerability in history and will certainly lead to changes in cybersecurity policies around the world.
In the US, Cybersecurity and Infrastructure (CISA) Security Director Jen Easterly says that the Log4j vulnerability is the most serious she’s seen in her career, one that will take years to address, and she encourages business leaders to take steps quickly to make sure they’re protected.
An Expert Fix
So what do those steps involve?
While mitigation efforts will vary by company, the first step is to identify Log4j usage. As programmers, coders, and IT security experts work around the clock to examine millions of lines of code looking for the vulnerability, organizations like CISA are giving agencies deadlines for patching it.
Patches have already been created, but with many companies unaware of the true extent of their Log4j usage, the problem will likely linger for quite some time.
Fortunately, there is a solution. Customertimes is fully aware of the situation, and we can help by conducting an audit that identifies and resolves vulnerabilities in your code, Log4j or otherwise.
Whether or not you’ve already found Log4j in your existing Java code, the possibility of it being present is exceptionally high.
Reach out to us today, and let Customertimes’ security ops specialists find and resolve any code vulnerabilities quickly.