On December 10, the world found out that a recent version of a seemingly innocuous open-source logging application called Log4j contained a critical infosec vulnerability. By adding a specially crafted line in the “username” box on a login page, bad actors could conceivably take over trusted enterprise computers.
Over the course of several hours, the Entrust Security Operations team analyzed our products for this Log4Shell vulnerability, and this investigation is ongoing. We updated our cloud-based security and identity services quickly using mitigations consistent with the Apache advisory – and kept these services online for our customers.
For our on-premises applications, most were not affected, because either they did not use Log4j at all, or some older products used Log4j 1.x and did not expose the JMSAppender.
Entrust concluded that some products included Log4j 2.x and were affected. For affected products, we communicated short-term mitigation steps for customers while prioritizing patches. This will get done, but it will take time. Until all Entrust patches have been made available, our teams will continue to update our customer base through our normal communications channels. Customers are urged to reach out to our support teams with their questions or concerns regarding needed actions and our progress.
We are not alone in this. As Wired reported this week, “the flaw is exposing some of the world’s most popular applications and services to attack.”
With every crisis, there’s a tendency to prepare for the last crisis. So, what can we learn from the Log4J crisis that will help us anticipate the next one? A few thoughts for IT and infosec leaders to consider:
- When we deploy open source in enterprise software, it’s on us to manage the risk. Adopting open source into enterprise software is very common across the industry — following best practices is an absolute must. For example, choose widely adopted, well-maintained open-source projects, keep dependencies up to date, and integrate security scanning tools into build pipelines.
- Technical Vulnerability Management (TVM) won’t protect you from a real zero-day exploit, but it will help you recover faster. TVM, along with patching and configuration management, are the meat and potatoes of security. While a true “zero day” exploit will always be dangerous, a good TVM program will enable companies to move faster to fix these vulnerabilities.
- Controls like EDR, WAF, FIM, etc. still have value to block and track attack vectors. Keep your eyes on cutting edge solutions such as XDR and other analytical systems.
- Zero Trust networks are the future. Companies should start investigating options. Zero Trust is based on the premise of least privilege access, giving a user or entity only those permissions they need to fulfill their function – and no more. This ring fences security vulnerabilities as they arise – mitigating risk and impact. It’s a complex challenge that requires both only investment and time to get right.
- Public cloud usage will continue to accelerate – and it needs strategic management. Infosec is evolving new concepts (and new acronyms) every day — CASBs, CSPM, CSMPs, CNAPP and more – to describe tools and controls to manage our emerging hybrid cloud and multi-cloud environments.
Be ready to communicate. Vendors must prepare to act quickly in response to zero-day threats, be ready to communicate risks to their customers.
I once read that TVM is a Sisyphean endeavor – every time you think you’ve pushed the info security rock to the top of hill, the latest vulnerability starts you back at the bottom. But if we can learn, adapt and anticipate – with a focus on the foundations of data protection – we can make that hill a little more manageable every time.
Entrust customers should reach out to Entrust customer support for more information and assistance with Log4j response.