The Apache Log4j Vulnerability
Also known as Log4Shell, the Apache Log4j vulnerability was THE cybersecurity news story of December and one of the most significant of 2021 and likely 2022. A flaw in the widely used Java logging library, it was first disclosed on December 9. The vulnerability was first discovered in Minecraft and allows unauthenticated remote code execution as the application user utilizes the Java logging library.
Log4j is an open source software from the Apache Software Foundation. It records errors and routine system events then communicates diagnostic messages about them to users and system administrators. An example of Log4j in action is when you click on a broken link or mistype a URL then get a 404 error message on your browser. The web server tells you there is no such page and records the event in a log using Log4j.
Log4j is the most popular java logging library. It is used in many systems including web applications, cloud platforms and email services. The Log4j library is embedded in virtually every Internet application or service we are familiar with including Amazon, Twitter and Microsoft.
Given the ubiquity of the Log4j library, the difficulty of manually remediating it and the ease of exploiting Log4Shell, the vulnerability’s impact could continue to be felt for years to come. Little wonder that it has been assigned the highest possible risk score – a severity of 10.
Already, thousands of attempts at exploiting this vulnerability were recorded just hours after it was made public. This is not uncommon of course since bad actors often want to exploit a newly disclosed flaw before its widely remediated. In this case though, the widespread use of Log4j and the fact that many organizations are unaware that its part of their network implies there could be an unusually long window for cyber criminals to try and make the most of the flaw.
Users and administrators are being urged to apply mitigating controls immediately including upgrading Log4j.
DHS Announces Cybersecurity Bug Bounty Program
The US Department of Homeland Security launched a bug bounty program to help identify and rectify cybersecurity vulnerabilities in select external-facing DHS systems. First disclosed at the Bloomberg Technology Summit by the DHS Secretary, the ‘Hack DHS’ program will pay between $500 and $5000 depending on the severity of the vulnerability.
Unlike regular bounty programs that are open to everyone, participating researchers will be vetted first before they are invited to access DHS systems. ‘Hack the DHS’ builds on the success of ‘Hack the Pentagon’, the pioneer federal program launched in 2016 that has unearthed more than 7,000 security gaps.
‘Hack the DHS’ will have three phases all of which will run through 2022. First, a virtual assessment where hackers are invited to analyze DHS systems. Second, a live hacking event. Third, vulnerability identification, review and planning for future bounty programs. The program will be governed by rules set out by DHS’s CISA requiring participants to disclose all information they discover that could be used to mitigate and correct vulnerabilities they find.
The goal of the program will not only be the basis for planning future bug bounties but serve as a blueprint the government agencies can use to strengthen their cybersecurity resilience.