Apache log4j2 is a strange word for most Internet users. But in the eyes of many programmers, it is a good partner to accompany them. It is used to record logs every day. However, it is precisely this component used by countless programmers every day that has a vulnerability. The harm of this vulnerability may even exceed the “eternal blue”.
Ji Jing, senior emergency response director of Dbappsecurity Co.Ltd(688023) , commented: “Apache log4j2 has reduced the cost of hacker attacks and can be called an epic vulnerability in the field of network security in the past 20 years.” Some insiders also believe that this is “the biggest loophole in the history of modern computers”.
On December 17, 2021, the Ministry of industry and information technology issued a document to remind the risk: “there is a serious security vulnerability in Apache log4j2 component… This vulnerability may lead to remote control of the equipment, which may lead to serious hazards such as sensitive information theft and equipment service interruption. It is a high-risk vulnerability.”
Even national government departments have been recruited. In late December 2021, the Belgian Ministry of defense admitted that they had suffered a serious network attack based on Apache log4j2 related vulnerabilities. The network attack paralyzed some businesses of the Belgian Ministry of defense, including the mail system.
The “power” of this vulnerability is so great that even national information security has been affected. So how should ordinary enterprises, especially those using cloud services, deal with it? Since the outbreak, a large number of enterprises and institutions have accelerated the digitization process and become “enterprises on the cloud”. In the traditional environment, enterprises have more control over their own security system construction. After cloud migration, are the cloud security protection of these enterprises in place?
security vulnerability once in 20 years: it will become a “network pandemic”
Late at night on December 9, 2021, Apache log4j2 Remote Code Execution Vulnerability attack broke out. For a time, major Internet companies were “alarmed”, and many network security engineers woke up in the middle of the night and were busy repairing the vulnerabilities. “It’s said that programmers in major factories are called to change in the middle of the night. If they don\’t finish the change, they won\’t be allowed to get off work.” Relevant forums also discussed the matter one after another.
Why is a security vulnerability so influential? Gao Yifeng, managing partner of Ernst & Young Greater China network security and privacy protection consulting service, said: “the Apache log4j2 vulnerability crisis has attracted much attention due to its wide impact, high threat and low attack difficulty, resulting in a global impact.”
“Log4j2 is an open source log component under Apache, an open source community. It is widely used by enterprises and organizations all over the world in the development of various business systems,” Ji Jing said, “According to incomplete statistics, within 72 hours after the outbreak of the vulnerability, more than 70 mainstream development frameworks were affected. These frameworks are widely used in the construction of digital information systems in various industries, such as finance, medical treatment, the Internet, etc. because many familiar Internet companies are using the framework, the impact of Apache log4j2 vulnerability is very large. ”
In addition to being widely used, the cost of exploiting Apache log4j2 vulnerability is relatively low. Attackers can construct malicious data and attack the vulnerable system through remote code without strong interaction such as authentication and login. Moreover, it can also obtain the highest authority of the server, which eventually leads to the remote control of the equipment, further causing data leakage, equipment service interruption and other hazards.
Not only the attack cost is low, but also the technical threshold is not high. Unlike the “eternal blue” outbreak in 2017, the use of attack tools is relatively complex. An attacker based on Apache log4j2 vulnerability can use many ready-made tools to construct and update a malicious code with a little knowledge of technology.
The low utilization difficulty and low attack cost mean that the recent attack against Apache log4j2 vulnerability will continue for some time, which will be a “network security pandemic”.
how to protect “enterprises on the cloud”?
In the traditional mode, security personnel can detect, patch and repair vulnerabilities locally. Compared with the traditional model, “enterprise on cloud” uses cloud computing, cloud storage services, etc., without its own computer room and server. When entering the cloud environment, the “boundary” of security protection no longer exists, and the control authority on the underlying host is not as much as that of the local host. At the same time, there is another layer of virtualization attack.
Especially under the influence of the epidemic, a large number of enterprises and institutions have started digital transformation and migrated from local servers to cloud servers. If the cloud migration is completed in a short time, the enterprise is likely to lack the maturity of the corresponding cloud security management capability; At the same time, it is often faced with insufficient security capacity and shortage of professional staff.
How should “cloud enterprises” deal with this epic vulnerability crisis?
According to Dbappsecurity Co.Ltd(688023) senior product expert Gai Wenxuan, “after enterprises go to the cloud, traditional network security risks still exist. In addition, they will face new security risks, such as the division of security responsibility boundary between users and cloud platforms. In addition, traditional hardware devices may not be suitable for cloud environment, so relevant security services need to be deployed for special situations.”
According to Zhao Jianshu, partner of anyong Greater China Science and technology risk consulting service: “in the face of rapid cloud access, enterprises urgently need to build a security system to meet their own business development and management requirements.”
So, for these “cloud enterprises”, whether to choose the native security services provided by cloud service providers or to find a third-party professional security service provider?
In fact, at present, even highly automated cloud native security solutions cannot achieve complete autonomy, and qualified cloud security service professional teams are still required to participate. Gao Yifeng stressed that for small and medium-sized enterprises, selecting qualified third-party professional safety institutions can ensure the independence of services and ensure the smooth development of work and service quality.
