Skip to content
Search
  • There are no suggestions because the search field is empty.
Cancel
Get Started Now

    Security Awareness Training Blog

    The Recent Log4J Vulnerability Equation: Remote Code Execution (RCE) + National Vulnerability Database (NVD) = 10.0

    James McQuiggan HSRCE. These three letters add increased levels of stress to cybersecurity professionals regarding vulnerabilities against their hardware or software within their risk management program.

    RCE is an acronym for Remote Code Execution. This capability means an attacker can launch an exploit against a vulnerability to hardware or software and easily take control of the application or system to launch their commands without the user or cybersecurity professional knowing about it. 

    Vulnerability Severity Scoring

    The National Institutes of Standards and Technology (NIST) maintains a listing of vulnerabilities and ranks them based on the severity of the vulnerabilities between 0 and 10. The Common Vulnerability Scoring System (CVSS) catalogs the individual vulnerabilities in the National Vulnerability Database (NVD) and attributes scores based on criteria that impact software. 

    There are groups of criteria: Base, Temporal and Environmental. The Base category reviews the vulnerability, which can remain consistent over time and various user environments. The Temporal group looks at the vulnerability over time, which can change, and the Environmental group provides characteristics that can be unique to a user's infrastructure or environment.

    A score of one for a vulnerability will account for a low severity and low risk. A score between 9.0 and 10.0 is a critical severity vulnerability and is the worst kind and dangerous of vulnerabilities. In the history of NIST tracking vulnerabilities in their National Vulnerability Database (NVD), the critical vulnerabilities accounted for almost 20,000 exposures and RCEs or Code Execution, attributed to over 40,000 vulnerabilities of the total 170,000 vulnerabilities in their catalog.

    A rating of 10.0 for a vulnerability allows an attacker to launch their code remotely, bypassing any authentication needed on the target system. The overall complexity is low for the attacker to implement the exploit against the vulnerability. Essentially anyone from a script kiddie to a nation-state could launch an exploit against a system and take it over without a lot of effort.

    Log4j + RCE = Big Trouble

    Log4j is a Java logging application that logs security and performance information within other java-based applications on a system. It is commonly found within the Apache web service environment. It is utilized worldwide in over three billion applications and systems. It essentially provided a backdoor for cybercriminals to easily gain access.

    Just before the Thanksgiving holiday in November 2021, security researchers discovered a vulnerability of the Apache Log4j logging application.

    The Log4j vulnerability became classified with a CVSS score of 10.0 and was assigned the identifier CVE-2021-45105. This vulnerability could allow anyone to submit a crafted network request to a system and take complete control to launch malware, ransomware or other malicious actions. 

    Best Practice & Sound Advice

    The Critical Infrastructure & Security Agency (CISA) created a dedicated page on their site to the Log4j vulnerability to support organizations in their efforts to mitigate this new threat. 

    One of the first security rules is knowing the applications and systems within the organization's infrastructure and network. Failure to do so can result in a cyber attack, which happened to credit monitoring company Experian. They were fined over $700 million from the Federal Trade Commission (FTC) in its failure to reasonably mitigate the known software vulnerabilities as it broke several laws within the Federal Trade Commission Act and the Gramm Leach Bliley Act. The FTC created these laws to protect consumer data. It requires organizations to be aware of their systems and take reasonable actions to patch known vulnerabilities to protect against Log4j or other future vulnerabilities.

    Many organizations impacted by Log4j, either as a user or developer, had a dedicated vendor page to list the applications or platforms affected for organizations to search and quickly determine their exposure

    Risk Reduction and Mitigating Actions

    It is always a bad day when a Zero-day vulnerability is discovered, and it is worse when the NVD gives it a critical rating of 10. CISA provides excellent advice that supports many cybersecurity guidelines and standards for mitigating vulnerabilities.  

    1. Review or discover all internet-facing systems which utilize the vulnerable application.
    2. Review or discover all systems within your organization that utilizes the vulnerable application.
    3. Patch all systems with the latest version when it becomes available.
      1. Test the patch on replicated, non-production systems to verify functionality. 
      2. Patch all critical and internet-facing systems first to reduce the risk of attack.
    4. If systems cannot receive the patch, isolate them, and restrict communication and access until the risk can be effectively mitigated.
    5. Monitor network traffic and applications for any odd patterns relating to the vulnerability. 
    6. Security is the process of reducing risk. It can never reach zero, but the risk can be mitigated, managed and audited to ensure an organization is secure. 

    Lessons Learned

    The Log4j vulnerability made the month of December 2021 a trying and difficult one for so many IT administrators, developers and CISOs. The risk of an attack was possible due to the high critical rating, lack of knowledge and ease of running an exploit against this vulnerability. It made it a credible threat that organizations needed to patch systems to reduce the risk of an attack by anyone from a script kiddie to nation-state attackers. Hopefully, with the lessons learned from this attack, organizations have added "Zero-day vulnerabilities with 10.0 criticality" to their playbooks and actively review their process for future risk mitigations.

    Log4j - Kevin Mitnick Explains One of the Most Serious Vulnerabilities in the Last Decade 

    Kevin Mitnick Log4J VulnerabilityIn this on-demand webinar, Kevin Mitnick, KnowBe4's Chief Hacking Officer and The World's Most Famous Hacker, and Colin Murphy, KnowBe4's Chief Information Officer, share their experience with the Log4j vulnerability. Hear their first-hand accounts of testing network environments with this incredibly easy hack.

    In less than 30 minutes, you'll learn:

    • Real life examples of this bug bounty bonanza
    • Potential consequences of these attacks
    • Remediation - blocking the perimeter is not enough
    • The future for this class of exploits

    Watch Now! 

    Don’t like to click on redirected URLs? Cut & paste this link into your browser: https://info.knowbe4.com/kevin-mitnick-explains-the-log4j-vulnerability

    Return To KnowBe4 Security Blog

    Topics: KnowBe4

    James McQuiggan

    ABOUT JAMES MCQUIGGAN

    James McQuiggan has over 20 years of experience in cybersecurity. He is currently a Security Awareness Advocate for KnowBe4, where he is responsible for amplifying the organization’s messaging related to the importance of, effectiveness of and the need for new-school security awareness training within organizations through social media, webinars, in-person presentations, industry trade shows and traditional media outlets.

    Prior to joining KnowBe4, McQuiggan worked at Siemens where he held various cybersecurity roles, including consulting and supporting various corporate divisions on cybersecurity standards, information security awareness and securing product networks. McQuiggan is a part-time faculty professor at Valencia College in the Engineering, Computer Programming and Technology division. He also volunteers for several initiatives through ISC2, including president of the ISC2 Central Florida Chapter, a member of the North American Region Advisory Council and a member of the Board of Trustees for the Center for Cyber Safety and Education.

    Read more from James »

    Subscribe to Our Blog


    Security Awareness Training
    Blog RSS Feed
    Comprehensive Anti-Phishing Guide
    All Posts

    Posts by Tag

    See all

    Posts By Topic

    View All

    Get the latest about social engineering

    Subscribe to CyberheistNews