The Log4j Vulnerability Spells Crisis for Network Security, With Some Exceptions

In early December 2021, a significant vulnerability in a common piece of Java-based code by Apache set the world on fire…at least for IT security professionals. Within 24 hours of disclosure, leading software companies like IBM, Oracle, Amazon, and Cisco went into damage control, seeking to assess the level of potential damage they had and could expect to sustain, and frantically working on patches to prevent their customers’ data from being siphoned off and sold to the highest bidder. The event was fitting for 2021, a year marked by disinformation, confusion and fear. 

“The log4j vulnerability is the most serious vulnerability I have seen in my decades-long career,” Jen Easterly, U.S. Cybersecurity and Infrastructure Security Agency director, said in a interview on CNBC. 

As December 2021 dragged on, related flaws continued to surface, sending those same software companies back to the drawing board to repackage and test yet another series of patches for customer distribution. This after communicating initial patches to customers that often took a whole weekend or more to implement. It didn’t bode well for a happy holiday season for already resource-strapped IT teams who had been dealing with a plethora of network security issues for two years brought on by the COVID-19 pandemic and the overnight surge of remote workforces.  

Depending on the version and the type of application, the log4j vulnerability’s scope and severity ranged from focused and moderate to widespread and critical. Some vendors were hit harder than others, such as Cisco, whose Identity Services Engine system saw more than 120 configurations affected. Others, like Microsoft, capitalized on the opportunity, rolling out solutions to proactively seek out and manage affected files, software, and devices impacted by log4j. 

Widespread & Hard to Pin Down

The extent of the impact of the log4j vulnerability was in many ways foreseeable. The root cause: human “ingenuity” that could otherwise be called laziness. Rather than reinventing the wheel by creating a new set of code for each application that is developed, software engineers now often patch together existing libraries and packages for shared functions to generate much of the codebase that runs critical applications. 

Like many noteworthy cyber incidents before it, the Log4j vulnerability helped us open our eyes to just how many software dependencies exist across enterprise systems — no matter if they are designed for security, operations, or sales. It also highlighted to us just how hard it is to mitigate and develop stopgaps for these vulnerabilities when they are so far-reaching and barely understood, especially in the early days of disclosure. 

While the ability to utilize the same code across many systems does offer value in terms of time to market, the problem is that many prefabricated libraries and open-source projects are interdependent, resulting in a web of dependencies that drill down many layers. Inevitably, this creates a scenario where indirect dependencies that can be nearly impossible to identify and troubleshoot when a vulnerability is unearthed. 

For the average Joe IT manager, this just means that the software you licensed was likely built using common third-party code you’re not even aware of that likely contains some vulnerabilities. Multiply this shared code across other enterprise systems in your stack – and queue the headaches. 

Avoiding Issues Like Log4j as an End-User

Java is a programming language that’s been around for a while and is commonly found in older on-premises software. As such, it should not come as a surprise that the classic tech giants of the world wasted no time prioritizing the log4j vulnerability – they had billions of dollars in revenue at stake across their suites of legacy software. And to make matters worse, the issue didn’t just impact Java-based systems, but also Java components and development frameworks that rely on it including Apache Struts2, Apache Solr, Apache Druid, Apache Flink, ElasticSearch, Apache Kafka and many others. We’re talking about tens of millions of impacted systems in use at any given moment today. 

How to avoid such widespread vulnerabilities is more than a question of choosing which apps are programmed with which language(s) – software engineers can debate the efficacy of each until they are blue in the face. Rather, it’s a question of how to consume enterprise software. For organizations more reliant on cloud native software-as-a service applications, IT employees almost certainly experienced fewer lost weekends dealing with the log4j problem. 

This is because SaaS has a shared responsibility model, whereby both the vendor and the customer are responsible for the security of the application in use. The onus is on the SaaS vendor to deliver secure products and services, while the responsibility for configuring, managing, and using the product lies with the customer. In the case of Log4j, most of the heavy lifting falls on the SaaS vendor. They must ensure that their products are not affected. If they are, it is up to them to provide transparency into how the system is being patched and how the vulnerability is being mitigated.  

While this differentiation seems simple, implementing a cloud-first IT strategy – no matter if universal or by function – can mean retaining IT talent by avoiding burnout, optimizing your IT budget by eliminating the need for third-party professional services, and so much more.