Skip to main content


Log4j Status Update

Log4j Status Update

Remember Log4j… that December 2021 vulnerability that had us all doing a deep dive into our applications to seek out the critical vulnerability? Heading into late 2022, we can rest easy knowing that it has been put to rest, right? Well, not really.

If you recall, Apache's Log4j is a software library that logs certain events, such as user activities within Java-based applications. Log4j is open-source and freely used by an enormous array of applications worldwide. The remote code execution (RCE) vulnerability associated with Log4j, CVE-2021-44228, is critical because by successfully exploiting this vulnerability, an attacker can do anything they want, including the deployment of malware or ransomware. Data extraction or manipulation is possible for attackers with even novice technical skills through this exploit.

Since Apache's Log4j software is so widely deployed, there is no main list of applications associated with its use. In response, the Cybersecurity & Infrastructure Security Agency (CISA) launched a community-sourced GitHub repository to create a listing of vulnerable products: GitHub - cisagov/log4j-affected-db: A community sourced list of log4j-affected software.

The resources and time commitment required to track down each instance of Log4j within an environment, determine a resolution plan, and perform an eventual upgrade to the latest version can be enormous. While many organizations may be persistent with the identification and resolution efforts, Log4j remediation requires a substantial number of critical resources that organizations may find scarce when facing an onslaught of new security issues and competing projects. These organizations may not have reached a cyber maturity level to fully leverage the benefits of a dedicated CIO or CISO within their organizational structure. The absence of a defined, responsible individual overseeing the information security program will likely mean a shortcoming in vulnerability resolution.

Taking this reality into consideration, the Cyber Safety Review Board (CSRB) concluded that the outdated and vulnerable instances of Log4j will continue to be exploited over the next ten years and possibly beyond. So far, exploitation has been relatively low, but the opportunity will remain available for attackers for the foreseeable future. If you are unfamiliar with the CSRB, President Biden directed the establishment of the CSRB to review significant cyber incidents and provide "advice, information, or recommendations for improving cybersecurity and incident response practices and policy."

A few observations from the CSRB report include:

  • Adopt industry-accepted practices and standards for vulnerability management and security hygiene.
  • Drive a transformation in the software ecosystem to move to a proactive model of vulnerability management.
  • Vendors like one cybersecurity technology services company observed the use of botnets to automate the reconnaissance process to quickly identify vulnerable targets.
  • A cybersecurity technology services company investigated multiple ransomware incidents that leveraged the Log4j vulnerability from January 2022 through March 2022.

The full CSRB report can be found here.

As always, follow your risk assessment program to determine your organization's best course of action. Part of your risk assessment may include identifying whether a vulnerable device is exposed to being attacked. Compensating controls may reduce exposure. 

If you are uncertain of your position, CISA offers this guidance:

CISA Log4j Guidance


Written by: John Helland
Information Security Consultant - SBS CyberSecurity, LLC


SBS Resources:

  • {Service} CyberSecurity Partnership/vCISO: In today's rapidly evolving business landscape full of cyber risks, both employees and business leaders are finding it harder and harder to handle all the demands of being a security expert. SBS has been alleviating some of that stress for over 10 years through the CyberSecurity Partnership (CSP) program and Virtual Chief Information Security Officer (vCISO) custom engagements.
  • {Service} Vulnerability Assessment: Stay one step ahead of a cybercriminal by identifying and investigating weaknesses in your network before they do. A Vulnerability Assessment is a proactive approach to identifying shortcomings and arming your organization with information to fortify your systems.

Related Certifications:

Join our growing community of financial service professionals showing their commitment to strong cybersecurity with a cyber-specific certification through the SBS Institute. Click here to view a complete list of certifications.
Certified Banking Vulnerability Assessor   


Hacker Hour webinars are a series of free webinars hosted by SBS CyberSecurity. Unlike paid webinars, Hacker Hours are aimed to meet on a monthly basis to discuss cybersecurity issues and trends in an open format. Attendees are encouraged to join the conversation and get their questions answered. SBS will also offer products and services to help financial institutions with these specific issues.

Posted: Wednesday, November 2, 2022
Categories: Blog