Log4j patched – but dangers remain

A ‘horrifying’ vulnerability in Apache logging library Log4j has been patched, but the threat to business is far from over.

The so-called Log4Shell vulnerability emerged at the beginning of December, when Cisco and Cloudflare identified a huge security flaw in the open source software, built to allow users to keep track of what happens within their apps.

Using the vulnerability, hackers can easily place code onto servers, to then steal user data, head deeper into corporate networks, install cryptominers and launch any number of other attacks.

So worrying was the development that Chief Architect of ExpressVPN, Peter Membrey, likened it to a disaster movie. “As soon as I saw how you could exploit it, it was horrifying,” he told The Verge. “You know what’s coming, but there are very limited things you can do.”

Thankfully, the cyber security industry rallied around after the vulnerability was announced, identifying at-risk applications and potential routes of attack, to try and protect impacted businesses as best they could. Among them was network security provider Cloudflare, which found the threats to be so dangerous that it announced early on that it would offer firewall protection to all its customers free of charge.

Surely enough, a patch was quickly rolled out to close the vulnerability, but unfortunately that doesn’t close the case.

In fact, the ramifications of this weakness could be felt for years to come. Independent security researcher Chris Frohoff told Wired.com that businesses will probably find vulnerable software show up within their custom enterprise apps “for a long time”.

Among the largest systems thought to have been impacted are Microsoft, IBM and Amazon. Outside of the household names there are further worries for software working behind the scenes. The likes of Broadcom, Red Hat and VMware create software on which their clients build their businesses. If these systems are vulnerable, it goes right the way to their clients’ core infrastructure.

The issue has also thrown into stark light the work of a volunteer army, racing to help patch vulnerabilities as quickly as possible. Many of those who worked on Log4Shell were not paid for their time, even though the system is used in huge, multinational systems.

It’s yet to be seen whether some sort of ‘bug bounty’ is provided to those who rallied to patch the system.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Log4j patched – but dangers remain

Categories

Horsham Office: 01293 871971 | London Office: 0203 763 3919 | IT Support: 01293 876000