The Lessons Learned From Log4j

Uploaded on 2022-03-15 in TECHNOLOGY--Resilience, NEWS-Cybersecurity News, FREE TO VIEW

The US government recently hosted a meeting with major technology companies to discuss improving cyber security in open-source software. 
 
When vulnerabilities are discovered in widely installed open-source software, vendors must analyse and create solutions for each of their products. The more products a vendor has the longer this will take. More often than not, a company’s IT security team will prefer the broad-based approach to security provided by third-party software support over vendor support.

Solutions provided by third-party support are not software or vendor specific and are often ready before any vendor patches can be developed. 
 
The White House said the meeting focused on trying to make open-source software more secure “by design” and to make sure that security holes were more quickly detected and plugged when they arose. 

Log4j  

The meeting followed the discovery of a serious vulnerability in the Apache Java-based Log4j software last December. The Log4Shell hole affected thousands of applications all around the world, after it created a relatively simple path for hackers to remotely access organisation’s systems. 
 
The likes of Oracle, Apple, Facebook/Meta, Google, IBM, Microsoft, RedHat and VMWare, among others, attended the White House meeting, which also saw the participation of the US departments of defence, commerce, energy, and homeland security, along with cyber security bodies. 
 
Three topics were discussed: 

  • Preventing security defects & vulnerabilities in code and open-source packages.
  • Improving the process for finding defects and fixing them.
  • Shortening the response times for distributing and implementing fixes.   

This final area is key when making sure that business software that is integrated with or working with compromised open-source software is effectively protected. Sometimes, the main providers of key business software can be slow to understand the implications of breaches in others' software on their own.   

Oracle Slow Off The Mark   

 As a provider of third-party support, Spinnaker Support works with various software lines, including Oracle software, and was quicker off the mark than Oracle when it came to providing a comprehensive fix to the potential effects of the Log4j bug. 
 
First reported via email to the Apache Software Foundation (ASF) on November 24 then publicly disclosed by the Apache Foundation and others on Friday 10 December. The bug was given the highest severity score, and governments globally issued alerts. Within the critical 24- to 48-hour period following the disclosure of the vulnerability, our security team jumped to find a solution to the problem that would protect our customers using Oracle software. 
 
As the crisis unravelled and with the Apache Foundation releasing new Log4j versions, new and additional vulnerabilities were found/introduced meaning that Oracle was playing catch up, and even at one point stating that Oracle databases were unaffected, which is not strictly true if you include related services such as Spatial and TFA. In the end, Oracle issued numerous patches, and often on multiple occasions. 
 
Oracle did not deliver a full solution until well after we did. There was a lot of media hype about how many organisations and products could be affected, as is always the case. Using our broad-based approach to security, we were able to quickly determine which of the products we support were not affected or not using the frameworks that were potentially impacted.   

Removing Uncertainty 

The problem centred on a Java class file used for logging system issues.  We were able to provide clients with steps to remove the vulnerable Java class or adjust application configurations, so it was not being used on their systems.  We removed uncertainty, and they were able to use our generic advice to address the same issue in other parts of their technology stack. 
 
We had a full solution available for Oracle customers by the night of Sunday, 12 December, ready for companies to protect their systems on Monday morning. Oracle, on the other hand, first issued a general advisory with no solution, and then battled to issue a series of patches over a number of days, going up to the following Friday, 17 December.  

Customers Left Unsure 

Oracle left some of their customers unsure as to whether they were affected or not - we didn't as we were quicker at delivering a streamlined solution that every one of our customers could use. We knew about the issue right away, researched and evaluated it, and published an actionable response over the weekend to make sure all our clients had everything to hand to deal with the issue. They didn't have to go through a convoluted patching process for different products. 
  
The White House said discussions around Log4j, and other potential open-source threats will continue in the coming weeks between the public and private sectors. The inability for some software vendors to quickly identify all their software that is impacted by an issue with open-source software should be a part of those discussions. 

Timothy Boles Is Director Security Services at Spinnaker Support 

You Might Also Read: 

Defending Against Log4j Vulnerabilities:

 

« In Britain 'Cyberflashing’ Is Now A Crime
Israeli Government Websites Knocked Offline »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

ON-DEMAND WEBINAR: Gen AI for Security: Adoption strategies with Amazon Bedrock

ON-DEMAND WEBINAR: Gen AI for Security: Adoption strategies with Amazon Bedrock

Watch this webinar and get a comprehensive roadmap for securely adopting generative AI using Amazon Bedrock, a fully managed service that offers a choice of high-performing foundation models (FMs).

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

SSH Communications Security

SSH Communications Security

SSH Communications Security is a leading provider of enterprise cybersecurity solutions for controlling trusted access to information systems and data.

Karamba Security

Karamba Security

Karamba provide an IoT Security solution for ECUs in automobiles which ensures that all cars are protected (not just autonomous cars).

LogicManager

LogicManager

LogicManager offer a complete set of IT governance, risk and compliance software solutions and advisory services.

Materna Virtual Solution

Materna Virtual Solution

Materna Virtual Solution security solutions enable user-friendly, secure mobile working environments.

Flexera

Flexera

Flexera is reimagining the way software is bought, sold, managed and secured.

Mitek Systems

Mitek Systems

Mitek's global mobile capture and identity verification technology optimizes the digital user experience for thousands of financial services organizations.

CTERA Networks

CTERA Networks

CTERA provides cloud storage solutions that enable service providers and enterprises to launch managed storage, backup, file sharing and mobile collaboration services using a single platform.

NSEIT

NSEIT

NSEIT offers end-to-end Information Technology products, solutions and services including cybersecurity to organizations in the financial sector.

Hacken

Hacken

Hacken provide a range of cybersecurity services including security assessments, blockchain security audits, and secure software development.

Vector Informatik

Vector Informatik

Vector Informatik is a specialist in automotove electronics and provides services, embedded software and tools for securing embedded systems against cyber-attacks.

Twingate

Twingate

Twingate help organizations secure and manage access to their technology resources in a world where people work from anywhere.

RegScale

RegScale

RegScale helps organizations comply in real-time with multiple compliance requirements (NIST, CMMC, ISO, SOX, etc), scalable to meet the needs of the entire enterprise.

Aravo Solutions

Aravo Solutions

Your Extended Enterprise is full of hidden risks – Aravo makes them visible, measurable, and manageable.

Arelion

Arelion

Arelion is a leading light in global connectivity and we've been keeping the world connected for nearly three decades.

Dropzone AI

Dropzone AI

Dropzone AI are creating a generational leap in SecOps by using AI to automate cyber expertise and tooling.

The Cyber Scheme

The Cyber Scheme

The Cyber Scheme provides NCSC certified and assured assessments, training and career support for security testers & technical cyber professionals.