The Log4Shell bug has taken the world by storm putting some of the biggest companies at risk and causing a ripple effect across the internet as the huge number of affected sites continues to grow.
A design disaster of epic proportions, millions of web applications built with Java use the ‘log4j’ library in their logging systems. Many software vulnerabilities are limited to a specific product or platform, but Log4j is highly versatile and a basic building block for lots of software hidden and camouflaged in every corner.
The ‘Log4Shell’ vuln is a remote code execution (RCE) flaw that, if left unpatched, allows a hostile actor to run arbitrary Java code on a target server and seize control of it. It’s thought to be almost embarrassingly simple to take advantage of. For those who don’t speak ‘tech’, hackers are able to put executable code into innocent text fields and run them to take full control of a server or system.
ComputerWeekly quoted Bugcrowd CTO Casey Ellis “This is a worst-case scenario. The combination of Log4j’s ubiquitous use in software and platforms, the many, many paths available to exploit the vulnerability, the dependencies that will make patching this vulnerability without breaking other things difficult, and the fact that the exploit itself fits into a tweet… It was a long weekend for a lot of people.”
Finding all systems that are vulnerable because of Log4Shell should be a priority for IT security teams and dealing with known instances is the first step.
The news highlights 3 vital principals:
- How crucial it is to update software and stay aware of CVEs in real-time.
- The importance of taking inventory, knowing your systems, and developers knowing what software they are running.
- Make plans in advance to mitigate risks. Take care of your incident response and business continuity plans before something happens.
Is your organization preemptively mitigating risk? Sign up today for a 30-day free trial of the Centraleyes Cyber Risk Management Platform. Onboard in under 60 seconds and begin assessing and mitigating risk in just minutes. Click below to sign up and for more information.
Start Getting Value With
Centraleyes for Free
See for yourself how the Centraleyes platform exceeds anything an old GRC
system does and eliminates the need for manual processes and spreadsheets
to give you immediate value and run a full risk assessment in less than 30 days