The Log4j Vulnerability: A Plain English Guide for UK Businesses

Introduction

Every now and then, a cyber security issue comes to light which affects almost every business on the planet.

In December 2021, that’s exactly what happened with the Apache Log4j 2 vulnerability.

IT support teams everywhere scrabbled to limit the risks of this vulnerability, which effectively created an access point for cyber attackers, and the problem has now been patched – but some action may still be required.

If all of this sounds like technical jargon, don’t worry, we’ve got you covered. In this guide, we’ll explain what Log4j is, how it was compromised, and what IT support teams need to know to secure their businesses.

What is Apache Log4j?

Log4j is a logging tool designed to maintain a list of events which occur in the application which developers or IT support teams can then review to diagnose problems and identify issues.

All business systems, especially large cloud-based systems like Google’s Workspace or Microsoft 365, rely on lots of other, smaller, systems to keep up and running. They do this mainly for practical reasons: it would simply take far too long to code every new element of an application by hand every time, so developers use existing code instead.

Apache Log4j is an example of one of these smaller systems which make up a larger whole. It is a framework (also known as a software library) written in a coding language called Java and it’s open-source, meaning it’s freely used in different software all over the world. For this reason, the scale of the potential risk posed by the Log4j vulnerability is larger than any cyberthreat in recent memory.

What is the Apache Log4j vulnerability?

On 9^th December 2021, the existence of a vulnerability in Apache Log4j version 2.15 and below was disclosed. The exploit’s full name is “Log4Shell (CVE-2021-44228)” and it was assigned a risk rating of 10 – the highest possible risk – by the Apache. At the time of the announcement, the National Cyber Security Centre (NCSC) revealed that they had already detected attempts to scan for the affected software libraries

Without going in to too much technical depth, this exploit could essentially allow an attacker to access a piece of software which uses the Log4j software library, then execute their own unauthorised code on that device. This code could steal files, delete data, create botnets, carry out cryptomining, or do practically anything the attacker desired. In short, it’s very dangerous.

The Apache Log4j vulnerability falls into the category of a ‘zero-day’ cyber attack. We’ve covered this in previous blog posts, but essentially that means that the exploit is entirely new and so has no immediate fix available – or had no fix available at the time, at least.

Has the Log4j vulnerability been fixed or patched?

Yes.

Because the vulnerability was privately disclosed to Apache three days prior to the public announcement, a patch to fix the exploit was actually available as early as December 6^th 2021. This meant that Apache were able to announce the problem and the solution at the same time. However, even their initial fix had some teething problems, meaning updates were still being pushed as of December 18^th 2021.

However, it fell to IT support teams and developers all over the world to actually distribute and install the updated version of the software library, which took some time. Even now, some systems will still be vulnerable to this attack due to not being updated – which emphasises how important it is for businesses to take mitigative action.

What IT support teams need to know about Log4j vulnerability

Since the discovery of the Apache Log4j vulnerability, it has been being tracked in detail by the NCSC which has maintained a timeline of key events.

It’s here that IT support teams should focus their attention for the latest updates; however, as of early January 2021, several measures have been taken to contain the Log4j vulnerability.

• If any applications in your business have been developed in-house and are using the versions of Apache Log4j between versions 2.0-beta9 and 2.15, they should be immediately updated to at least version 2.17.0. Your IT support or development teams can help you do this.
  
  
• If you’re unsure whether your third-party applications are using a vulnerable version of Log4j, ensure you update them to the latest version immediately, as well as checking with the software’s vendor to see if there was a risk and if it was patched. Big tech players like Microsoft are already pushing updates to ensure their customers are protected – though most of their products are unaffected.
  
  
• Finally, double-check with your IT support team that none of your web servers, web-based applications, network devices, or other software and hardware are using an affected version Log4j. If so, these must be updated immediately to close potential cyber security holes.
  
  

Need a reliable IT support team to keep your business cybersafe?

The scale of the Apache Log4j vulnerability is a good reminder of how important robust cyber security systems and policies can be. Whether that’s ensuring systems are up to date at all times to monitoring for potential zero-day breaches, your IT support team is on the front line of this effort.

At Get Support, we pride ourselves on delivering IT support agreements that include watertight cyber security advice, along with the deployment and management of the systems required to maintain this security. If you’re not sure your company is cybersecure, we can help make it happen.

To learn more about exactly how we could help your business stay safe, call the IT support experts on 01865 59 4000 or just enter your details into the form below.