Critical Log4j Vulnerability Wreaks Havoc Across Cyberspace

In what is likely the largest industry-wide vulnerability since the SolarWinds Orion flaw uncovered late last year, a critical software bug was recently discovered within Apache Log4j, an open-source logging utility widely used in business software development. A long list of technology companies have already reported being affected, including such household names as Apple, Amazon, IBM, Microsoft, and Oracle.  The vulnerability means that innumerable applications and services could be subject to the unauthorized execution of code by bad actors. In layman’s terms, the vulnerability could allow exploits such as ransomware or other malware installation, or unauthorized data access or theft.

It is already being reported that the vulnerability is being exploited by ransomware gangs, foreign governments, and other nefarious actors. U.S. Cybersecurity and Infrastructure Security Agency (CISA) director Jen Easterly recently said that the flaw is “one of the most serious I’ve seen in my entire career, if not the most serious” and that “hundreds of millions” of devices are likely impacted. On December 14, 2021, a second, similar flaw was discovered in older versions of Log4j.

What You Need To Do

Apache has been releasing patches on a rolling basis for the vulnerabilities, and organizations should apply those patches as soon as they become available. While patching is critical, the full extent of the Log4j bug, like that of the SolarWinds vulnerability, could take years to fully unravel. Therefore, in addition to identifying whether your organization’s systems run the affected software and patching as quickly as possible if they do, your organization should also:

  • Determine if any of your vendors, partners, or other third parties that hold your company’s information is affected by the vulnerability. Ask your vendors for a software bill of materials to help identify the bug.
  • Run regular scans of your own environment to look for suspicious activity. Since the vulnerability may be embedded deeply with your own organization’s applications or those of your vendors, you may never have 100% certainty as to potential exposure. Therefore, even if you apply patches to known use cases, you should still exercise heightened vigilance around detection for unusual activity.
  • Take stock of your hardware and software inventories, especially IoT devices that may be more difficult to identify and patch.
  • Review your incident response policies and procedures to ensure they are up to date and actionable in this elevated threat environment.

Detailed technical guidance has been put out by CISA, by Microsoft, and by many other organizations. CISA has stated that it will regularly update its webpage with additional guidance as more information becomes available.

Thinking Ahead – Regulatory Inquiries

Complex supply-chain security issues like Log4j have become increasingly common and are extremely difficult to prevent. As a “zero-day” vulnerability, it was unknown to the world and no business can completely protect against it. With that said, while the flaw is present industry wide and not the fault of any one user of the software, regulators will have little sympathy for a company that fails to take reasonable and appropriate mitigation measures after the bug’s discovery, such as a failure to patch.

As companies evaluate the extent to which their systems are impacted by this vulnerability, one factor to consider is how best to ensure that their investigations are protected by the attorney-client and attorney work product privileges. Those investigations should be both thorough and undertaken promptly.

Finally, public companies should also carefully consider whether they need to update their disclosures to comply with SEC guidance and rules. As have other agencies, the SEC has become more and more focused on cybersecurity, including through policing the timing and quality of public disclosures.

James D. Gatta

Jennifer Chunias

Boris Segalis