On December 9th, a serious zero-day vulnerability affecting some of the world’s largest companies and most popular online services was disclosed by The Apache Software Foundation. The vulnerability, dubbed Log4Shell (also known as CVE-2021-44228), was found in a highly popular Java package named Log4j which is used by millions of developers worldwide to record errors in their programs. It is considered one of the most critical exploits discovered in recent years, and thus received the highest possible CVSS severity rating of 10, and immediately came to the attention of everyone in the cyber security industry and most of the tech world.
Why so bad?
This rare and alarming level of threat is due to two main factors. First, the Log4j utility is as widespread as they come, being used in almost every corner of the web. From Apple and Twitter to Amazon and Tencent, it’s an extremely popular solution for runtime logging that’s been embraced by a huge number of software products serving both businesses and individuals.
The second, and more troubling reason, is the vulnerability’s severity level, meaning to what extent it can jeopardize the systems in which it is running. In the case of Log4Shell the danger is so extreme because it allows attackers to remotely run their own code on affected machines, opening the door for almost any action they choose – deleting or encrypting data en masse, stealing sensitive information or installing malware as they please.
This combination of scale and damage potential isn’t seen all too often even in the cybersecurity circles, and has led the director of the US Cybersecurity and Infrastructure Security Agency (CISA), to express her concerns in an unequivocal fashion saying “ This vulnerability is one of the most serious that I’ve seen in my entire career, if not the most serious”, and calling for immediate steps to be taken by affected parties in order to reduce the likelihood of damaging incidents.
What can be done?
The good news are that Apache, which develops Log4j, and the tech community at large reacted fast, releasing both a remediated version of the library and testing tools that help developers and system administrators assess their exposure and make sure their assets and users are safe. And indeed, for most software products the fix is simple and only requires updating Log4j to version 2.15.0 or later.
As for Secret Double Octopus solutions, we can report that none are directly affected by this vulnerability.
However, log4j is used within a component of our management console called Elasticsearch. Elastic released a statement addressing the vulnerability and suggesting a mediation method. The Secret Double Octopus 9012 patch is a preventative measure that implements the recommended solution, and applies for versions 4.6.4 to 5.0.4 of Octopus Authentication. Please note that this patch needs to be installed only on the Management Console Servers and there’s no need to install it on the Octopus Authentication Server or Octopus Authentication Server DMZ as these are utterly unaffected by the vulnerability.
Securing Legacy Systems with Passwordless Authentication