The Log4j flaw is the latest reminder that quick security fixes are easier said than done

Cybersecurity professionals have spent weeks scrambling to address a bug in a widely used software library that could enable hackers to steal data, launch ransomware attacks or otherwise knock systems offline.

The bug, known as Log4Shell, exists in Log4j, an open-source software tool that is used widely in the technology industry. The flaw could allow for attackers, in some cases, to take over vulnerable systems by duping a target into logging code capable of downloading malware hosted elsewhere.

Given the ubiquity of the software and the sheer number of vulnerable systems, U.S. cybersecurity officials gave federal agencies until Dec. 23 to evaluate their exposure and take remediation steps, urging private sector entities to do the same.

Jen Easterly, the director of the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, had previously called the bug perhaps “the most serious” she’d seen in her career. The CISA directive cited “active exploitation by multiple threat actors,” while analysts at Microsoft and Mandiant reported seeing hackers thought to be associated with the governments of China, Iran, North Korea and Turkey working to leverage the flaw. Another DHS official, Jay Gazlay, speculated that “hundreds of millions” of devices could be affected.

Where things stand

In recent days there have been multiple reports of attackers looking to weaponize the bug for ransomware, trojans, and surreptitious cryptocurrency mining. One researcher claimed to find evidence of a Log4j-based worm, though others quickly question the idea and characterized such fears as overblown. The anxieties coincide with the Belgian Defense Ministry temporarily shuttering some of its networks to recover from a cyber incident in which unknown outsiders leveraged Log4Shell.

The urgency of the threat is further complicated by the extent of the vulnerability.

Java-based Log4j reportedly is implemented widely, including at technology firms like Google, Amazon and Microsoft, along with software vendors with millions of customers such as IBM, Oracle and Salesforce.

Apache, which oversees the Log4j framework, issued its first patch for the flaw on Dec. 10, but has since had to release two additional patches. The initial patch mostly fixed the problem that would allow external code to run, but would allow, in some cases, for an attacker to deny service to the system entirely in what is known as a denial-of-service attack, or data exfiltration, in other cases. The second patch left open a pathway for outsider to launch denial-of-service attacks, in limited circumstances.

The latest patch, 2.17.0, was issued Dec. 18, earning the recommendation of CISA.

The flurry of activity does not mark the first time that hastily applied patches caused problems. In the wake of the Meltdown and Spectre revelations — where code run against the controlling software of a computer’s operating system, the kernel, could reveal data — the fixes caused notable computer performance slowdowns in some cases, and seemingly random reboots in others. (In 2019, malware developers built proof-of-concept code that would exploit the so-called BlueKeep vulnerability before cyber personnel could widely distribute the necessary software update.)

The sheer scale of Log4j’s use has further complicated matters. CISA’s guidance on mitigation and potentially vulnerable software includes hundreds of vendors ranging from obscure to prominent, such as Amazon, Cisco, Dell, IBM and Microsoft. A particular vendor may have dozens of individual products or programs vulnerable to the problem, making it even more difficult for those responsible to address the issue.

Another problem is the tens of thousands of Java software packages that use Log4j. The “lack of visibility into [users’] dependencies and transitive dependencies has made patching difficult,” researchers from Google’s Open Source Insights Team wrote on Dec. 7. “It has also made it difficult to determine the full blast radius of this vulnerability.”

A lingering threat

The researchers found nearly 36,000 Java software packages that depend on the affected Log4j code, most of which were indirect dependencies, which adds complexity and time for anybody responsible for fixing the problems.

Even as organizations work to identify vulnerable assets and apply the appropriate patch, the problem may not be totally solved and may not become known for months or even years. Skilled hackers will find ways into systems using the vulnerability before everything can be patched, and then lay low, experts say.

“We believe these actors will work quickly to create footholds in desirable networks for follow-on activity, which may last for some time,” John Hultquist, vice president of intelligence analysis at cybersecurity firm Mandiant, previously said in a statement to CyberScoop.