Are We Still Talking About the Log4j Vulnerability?

By Amanda Alvarez | Senior DevSecOps Engineer, Trace3 Security Solutions

In today’s speed of business, things that happened at the end of 2021 can feel like eons ago. The Log4j vulnerability discovered in December of 2021 affected all facets of cybersecurity, as millions of attempts were made to exploit the exposure of the information logging software. The Log4j vulnerability may sound like old news, but it’s still a huge threat today.

Studies show there are still millions of Log4j instances that remain vulnerable currently. Of them, the highest percentage of vulnerabilities were found in open-source applications.

Let us take a moment to review the events that occurred over three months ago. Many professionals across all industries quickly realized why Log4J is considered one of the most critical exploits to be discovered. As of today, state-sponsored and cyber-criminal attackers are continuing to leverage the Log4J vulnerability that allows anyone to run remote code execution programs to this day. Leaving this serious issue unpatched can let attackers conduct Distributed Denial of Service (DDoS) attacks or permit miners to collect cryptocurrencies on your resources.

This historic discovery highlighted flaws within software development lifecycles by identifying and remediating all impacted applications. From a shortage of security professionals to lacking a robust inventory management system, many companies across the globe were not prepared to deal with a zero-day at such a large scale, but this presents itself as an opportunity to design and implement proactive measures to prepare for the next exploit.

Once the bleeding has been stopped, companies should create a culture to find and fix issues as quickly as possible. One method is to build relationships between development, security, and operations teams to break down silos and foster collaborative environments with built-in feedback loops from security tools. Implementing tools and processes around developers’ workflows enables engineers to identify and remediate vulnerabilities as soon as they are discovered without slowing them down on their delivery. Lastly, transparency about what is in your critical applications can be achieved by leveraging a dynamic Software Bill of Materials (SBOMs) to provide awareness and visibility to bolster risk management at scale, which can be used to build risk-based security reports to be shared with leadership and gain buy-in for adopting a security culture.

It is essential to act now if remediation measures have not yet been addressed. But, even if you have taken action, the millions of recently identified vulnerabilities mean you may need to take a second look.

The two biggest questions asked when a zero-day vulnerability is found are:

  • Are we vulnerable?
  • Are we compromised?
To help you quickly handle Log4j and other known or unknown threats, Trace3 and Lacework are partnered and offering a free, no-obligation, 14-day Cloud Threat Hunting Assessment. Together, our cloud security experts will work with you to find all vulnerable systems across your cloud and container environments – instances that other vulnerability scanning tools miss. This Lacework technology continuously monitors for active signs of compromise, helping to reduce risk, and better protect your business.

To learn more about these offerings from Trace3 and Lacework, click here.

Amanda-AlvarezAmanda Alvarez has seven years of industry experience across IT, software engineering, and security. She specializes in DevSecOps by advising clients in their digital transformations to reform cultures and balance agility with security guardrails. Amanda is an advocate of the ‘shift-left’ approach by building security feedback loops to enable and empower developers to build secure products.
Back to Blog