ITAM & the Log4J vulnerability

15 December 2021
4 minute read
Best practice

ITAM & the Log4J vulnerability

15 December 2021
4 minute read

Log4Shell – aka Log4J – is the latest software vulnerability to be discovered and, according to the Guardian, it could be the worst one to appear for several years. The CEO of Tenable called it “the single biggest, most critical vulnerability of the last decade” while the CSO of Cloudflare said they’d “be hard-pressed to think of a company that’s not at risk”. Furthermore, the Apache Software Foundation – who oversee the software in question – assigned it the maximum CVSS severity rating of 10. Clearly this is a security exploit with the potential to have far-reaching implications.

What is it?

Log4J is a Java-based logging tool used in Apache open-source software – and this is product in use across the vast majority of organisations worldwide. The vulnerability, which can allow attackers to install and run code on remote devices, was first identified within (the Microsoft owned) Minecraft servers where attackers were able to exploit the vulnerability via chat messages. Additional services hit by this include Apple iCloud, Steam, Twitter, and Tencent. The German BSI said “it [is] rather easy to exploit, which causes experts great concern” – a view shared by security practitioners across the globe.

What needs to be done?

According to security firm Sophos, organisations need to:

find any and all code in your network that is written in Java and check whether it uses the Log4j library

An update for Log4J has been released and so all affected devices need to be patched asap but this is often the problem. As we’ve seen in previous security exploits, the gap between a patch being released and organisations installing it on their devices can be extremely large. Furthermore, organisations are not always able to identify all the devices which require the patch; both of these were key issues in the Equifax breach of 2017.

How ITAM can help

You can’t secure what you can’t find”.

Although it may seem an obvious and perhaps even trite statement at this point, it continues to be true. Comprehensive asset discovery is the foundation for many areas critical to a business and this is a sentiment being echoed by those in the security world…at least on Twitter:

This is a great opportunity to either:

a) show the success of the ITAM/Security partnership you have cultivated, or
b) show how a stronger relationship between the two teams would benefit the business

Having a shared inventory of devices and the software on them alongside a rapid patch management process can make mitigating this attack, and others like it, as easy as possible. If that relationship isn’t there but you have tools/data/processes you believe could help, take this opportunity to get involved and help out. Showing how ITAM supports other teams and reduces risks across the business is a great way to increase executive focus and bolster ITAM’s credentials internally.

Software Bill of Materials

Another interesting element is the call for more work around creating Software Bill of Materials. They are a growing focus in the open source world and, in their statement regarding Log4J, the US Cybersecurity & Infrastructure Security Agency (CISA) said this scenario:

underscores the urgency…more widespread use of Software Bill of Materials (SBOM), which [was] directed by President Biden in his Executive Order issued in May 2021. A SBOM would provide end users will the transparency they require to know if their products rely on vulnerable software libraries

Conclusion

Helping your organisation to manage and mitigate this latest security threat can be a great chance to demonstrate the value that ITAM brings to all aspects of your organisation. Even once the immediate panic has passed, ensure you have a process for discovering and highlighting any unpatched instances that may appear on your network. Take this opportunity to help your peers, your business, and yourself.

Can’t find what you’re looking for?