There has been a lot of coverage of a new cyber vulnerability – The Log4 Shell. I thought that it would be helpful to summarize the potential impacts and what is being done. Additionally, I will share what we have done and what we will be doing going forward. As always, please contact me with any questions or concerns.
What is the Log4J Shell Vulnerability
Log4J is an open-source program for logging application, utility, and operating system activities and errors. It has been broadly used and distributed as an often-silent component of applications and utilities, most often on servers. A capability introduced in 2013 has recently been discovered to allow malicious acts to be performed without permission. (Yes, it is a feature and not a bug!) This capability to allow for malicious access was publicized recently with no advance warning to allow the product to be patched. News spread quickly and there are lots of hackers trying to find servers with this vulnerability.
What are the Potential Risks
This vulnerability can permit malicious programs to be run on machines without any additional permission and information generally protected on servers can be shared externally.
What Systems are Impacted?
Technically, any of our Windows laptops and desktop machines, Windows Servers, and Linux machines can run the Log4J software. However this software is usually installed on servers as part of an application or utility installation. As a result, it is unlikely that Windows 10 PCs with Office365 or other versions of MS Office will have Log4J software installed. If you have a Windows or Linux server in your office environment, please let me know immediately (unless we have already contacted you).
The more difficult problem is determining if any of your cloud applications are impacted by this. By definition, cloud applications are run on servers and those servers may have Log4J installed. It is a good idea to check with your cloud application vendors to see what they are reporting about this vulnerability. Many have information published on their websites. Here is a link to the Sophos status on their website: https://www.sophos.com/en-us/security-advisories/sophos-sa-20211210-log4j-rce The good news is that Sophos is not impacted and is protecting our Sophos customer computers.
What is Connected HHI doing about Log4J?
- For our Managed IT customers with servers onsite, we have scanned the servers for Log4J and have not found any installations. For our Managed IT customers, we will be running scans on connected desktops and laptops. This is currently a manual process which involves access each device onsite or remotely to run a system scan for the Log4J software. We will advise each customer once scans are complete and if any Log4J software is found.
- We are assembling a status of Log4J reports from cloud software vendors.
- We are staying current as the situation changes and will send out updates with any new information.
What Can You Do?
- Assemble a list of the cloud applications that your team uses and forward a copy to us. We will add any new names to our list and track status.
- Ask your team members if they are running any applications locally on their systems beyond Microsoft and Adobe. If so, please let us know and we can check their systems.
- Pay close attention to any communication that you are receiving from your cloud application vendors. There may be important information being sent out.
- Contact us with any questions, concerns, requests, and suggestions.
- Microsoft Response : https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2/
- Techie explanation: https://nakedsecurity.sophos.com/2021/12/13/log4shell-explained-how-it-works-why-you-need-to-know-and-how-to-fix-it/
Author: Joe Chappell, Owner and Founder of Connection HHI