Voyager18 (research)

Operational challenges in mitigating log4j

The unprecedented log4j vulnerabilities caused widespread panic across the cyber security world, and brought significant operational challenges to teams scrambling to mitigate the risk. Here's what we learned.

Derek Hays | December 30, 2021

2021 left a final, chaotic surprise for the cyber security community with the unprecedented critical zero day log4j vulnerabilities. The remediation scramble in the immediate aftermath brought significant operational challenges. Teams worldwide were suddenly caught off-guard, working around the clock to fix a vulnerability nobody saw coming.

Here are some of the key logistical and operational issues that emerged as a result of log4j:

Log4j – An evolving event 

As if the initial log4shell vulnerability (CVE-2021-44228) wasn’t enough, a series of new, related vulnerabilities emerged, some of them tied to the fixes for the original one – CVE-2021-45046 and CVE-2021-45105. 

The most surprising aspect of this all was that some of these vulnerabilities were downplayed at first, having received low scores. But a few days later, these vulnerabilities were updated and recognized as critical vulnerabilities. 

Additionally, government and federal agencies were required to address these vulnerabilities immediately within a very short timeframe

Keeping track of log4j

This type of vulnerability had very high exposure and there were many reports of it being exploited or targeted at large scale. It was important for organizations to keep track of this quickly developing event, and it was challenging to track it from several necessary angles:

Track all related vulnerabilities 

Regardless of their initial score, organizations are required to get good visibility of the log4j situation, and be ready to act on any new findings or updates to current risk. This also included tracking any third-party packages being used, and contacting software vendors for the latest updates, and monitoring patch releases. 

Prioritize critical assets

Teams need to identify the impacted attack surfaces and their business impact and prioritize the most critical assets that require the most urgent attention.

In practice, this means starting with external-facing assets as they may be the most heavily impacted by an RCE vulnerability, then moving to business critical assets and applications. 

Remediate efficiently

After prioritizing, teams have to find the best fix or patch for each affected asset and promote a quick cyber risk management process – from end to end – to fix those assets. 

Organizations also need to track the progress of this critical patching effort and make sure it gets fixed. They additionally are required to track each team patching process, making sure they are meeting agreed SLAs. During this process, they should be looking for potential issues that they may encounter, in order to come up with compensating controls such as alert by monitoring or limiting network access. 

The log4j vulnerabilities shook the cyber security community to its core, affecting millions of systems worldwide. While many were caught by surprise, it has perhaps provided an opportunity to review existing processes and make improvements across the board.

At Vulcan Cyber, we work daily to help cyber security teams more effectively manage and mitigate their cyber risk. Prioritization. Orchestration. Mitigation. Wherever you are in the lifecycle – Vulcan gives you everything you need to finally go beyond your risk – and actually reduce it. Start owning risk today with Vulcan Free

Free for risk owners

Set up in minutes to aggregate and prioritize cyber risk across all your assets and attack vectors.

"Idea for an overwhelmed secops/security team".

Name Namerson
Head of Cyber Security Strategy