On December 9, 2021, security researchers announced a zero-day vulnerability, CVE-2021-44228, impacting the widely-used Apache Log4j Java-based logging library. Known as Log4Shell, the vulnerability can allow unauthenticated remote code execution and access to servers – in effect, a complete takeover of vulnerable systems.
Log4j is used in many cloud platforms, web applications and email services, meaning that there is a wide range of systems that could be at risk from the vulnerability. GitHub has published a list of vulnerable applications and systems, and security researchers report that cyber attackers are already making hundreds of thousands of attempts to exploit the vulnerability every minute.
Because it is deployed in millions of Java-based web applications worldwide, it is important for organizations to determine not only their internal attack surface, but also the risk they face from vulnerable third parties.
8 Questions to Immediately Determine Your Third-Party Exposure to Log4Shell
Prevalent has curated an 8-question assessment that can be leveraged to rapidly identify any potential impacts to your business by determining which of your third parties utilize Log4j in their applications, and what their mitigation plans are.
| Questions | Potential Responses |
| 1) Has the organization identified whether it is impacted by the recent Apache Remote Code Execution (RCE) vulnerability on its Log4j utility program? Help text: This question relates to the recent remote code execution (RCE) vulnerability (CVE-2021-44228) affecting the Apache Log4j utility program, on versions 2.0-beta9 to 2.14.1 | Please select ONE of the following: a) The organization has reviewed and identified that it is impacted by the recent Apache Remote Code Execution Vulnerability. b) The organization has reviewed and identified that it is not impacted by the recent Apache Remote Code Execution Vulnerability. |
| 2) Has the organization managed to update to Log4j 2.15.0 as recommended? | Please select ONE of the following: a) Yes, the organization has managed to update the program to the latest 2.15.0 version. b) The organization is unable to update to the latest Log4j version. c) The organization has not yet updated the program to the latest 2.15.0 version. |
| 3) Which version of the Log4j program does the organization currently run? | Please select ONE of the following: a) The organization uses a release >=2.7 and <=2.14.1 b) The organization uses a release >=2.0-beta9 and <=2.10.0 (proceed to question 5) |
| 4) If your current release of Apache Log4j is >=2.7 and <=2.14.1, and your organization has not updated to the latest version, then have the following actions been taken?Help text: Apache have released these recommended actions to address the RCE vulnerability. Actions recommended are based on the version being used. | Please select ALL that apply:a) For mitigation, the organization has set either the system property log4j2.formatMsgNoLookups or the environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS to true. b) All PatternLayout patterns have been modified to specify the message converter as %m{nolookups} instead of just %m. |
| 5) If your current release of Apache Log4j is >=2.0-beta9 and <=2.10.0, and your organization has not updated to the latest version, then have the following actions been taken? Help text: Apache have released these recommended actions to address the RCE vulnerability. Actions recommended are based on the version being used. | Please select ALL that apply: a) For mitigation, the organization has set either the system property log4j2.formatMsgNoLookups or the environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS to true. b) The JndiLookup class has been removed from the classpath: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class. |
| 6) Has the cyber-attack affected critical applications delivered to or used to support client services? Help text: Consideration should be given where client systems, or those holding client information are using the Log4j utility program. | Please select ONE of the following: a) Yes, the vulnerability has affected applications delivered to, or used to support client services. b) No, the vulnerability has not affected applications delivered to, or used to support client services. |
| 7) Does the organization have an incident investigation and response plan in place? Help text: Procedures for monitoring, detecting, analyzing, and reporting of information security events and incidents should be in place, and allow an organization to develop a clear response strategy to handling identified incidents and events. | Please select ALL that apply: a) The organization has a documented incident management policy. b) The incident management policy includes rules for reporting information security events and weaknesses. c) An incident response plan is developed as part of incident investigation and recovery. d) Incident response planning includes escalation procedures to internal parties, and communication procedures to clients. |
| 8) Who is designated as the point of contact who can answer additional queries? | Please state the key contact for managing information and cybersecurity incidents. Name: Title: Email: Phone: |