How dangerous is the The Apache Log4J vulnerability ? How does a 10 out of 10 CVSS Severity level ( CVSS is an industry-standard vulnerability metric)
“Various information security news outlets reported on the discovery of critical vulnerability CVE-2021-44228 in the Apache Log4j library (CVSS severity level 10 out of 10). Millions of Java applications use this library to log error messages. To make matters worse, attackers are already actively exploiting this vulnerability. According to Kaspersky Daily.
Take action: the Apache Foundation recommends all developers to update the library to version 2.15.0, and if this is not possible, use one of the methods described on the Apache Log4j Security Vulnerabilities page.”
In addition the Cybersecurity and Infrastructure Security Agency (CISA) Director Jen Easterly released the following statement today on the “log4j” vulnerability:
“CISA is working closely with our public and private sector partners to proactively address a critical vulnerability affecting products containing the log4j software library. This vulnerability, which is being widely exploited by a growing set of threat actors, presents an urgent challenge to network defenders given its broad use. ” more…..
What does this mean to our Insureds, and their clients ?
Please check with your vendors to see if they have identified a potential vulnerability. Check your own systems, and offerings to determine if you have a vulnerability.
CISA recommends asset owners take three additional, immediate steps regarding this vulnerability:
- Enumerate any external facing devices that have log4j installed.
- Make sure that your security operations center is actioning every single alert on the devices that fall into the category above.
- Install a web application firewall (WAF) with rules that automatically update so that your SOC is able to concentrate on fewer alerts.
For additional information on how to protect your business, or personal assets contact Broadfield Insurance at Cyber Liability Insurance – Broadfield Insurance or call 845-986-2211.