Log4j2 vulnerability on year later: ‘It is still being exploited’

This month marks the one-year anniversary of the discovery of the Log4j2 vulnerability. Technically, it’s a 2021 cybersecurity event. However IT and infosec leaders spent much of 2022 hunting for and patching applications using the buggy open-source logging library module.

If they’re smart, they’ll keep doing it in 2023, says one expert.

“Many CISOs may still be thinking this is an exploit that is particular to a couple of vendors, and once they’ve patched their current software, this problem has gone away,” said Robert Falzon, head of engineering at Check Point Software Canada.

“There are [IT] systems that kick in only once or twice a year, and those systems may be vulnerable and overlooked from a checking perspective.

“It is still being exploited,” he said, and will be “for some time to come.”

“This component still exists in thousands of pieces of software across the entire spectrum of enterprises, from big to small. And despite the fact that Microsoft may have patched their current servers and software … there are organizations that are running other applications that are not being updated because they are not a piece of code that Microsoft or Linux has access to upgrade.”

It can be hard for IT administrators to trace if you don’t have the tools, he said. “Attackers are targeting these in a much more effective way now, because they’re mapping the environment of organizations that have this exposure,” Falzon added.

Briefly, Apache Log4j is a free, open-source Java-based logging framework that collects and manages information about system activity. In a July report, the U.S. government’s Cyber Safety Review Board said Java developers have embedded it into thousands of software packages and services.

The problem in Log4j version 2 was introduced by the developers in 2013, and only discovered in November 2021. At that point, it was privately reported to Apache. However, before Apache could release a fix, it was publicly disclosed, triggering a race to find and patch the hole before it was exploited by threat actors.

The race wasn’t always won by the good guys. Check Point has seen nation-state threat actors exploiting the vulnerability….