Log4j Vulnerability and the Importance of SBOM

The Apache Log4j vulnerability has been making global headlines since it became public on 9th December 2021. The report stated that the vulnerability affects Apache log4j between versions 2.0 and 2.14.1 and is independent of the underlying JDK version.

It was a full-blown security meltdown that resulted in hackers performing remote code executions and affected digital systems across the globe. In response, Apache implemented patch fixes, but some components remained unattended.

Today, even after almost two years down the line, security experts consider Log4j to be one of the most severe threats to affect software supply chain security. It is an object lesson for why organizations should incorporate Software Bills of Materials (SBOMs) in their SDLC.

This blog talks about the basics of Log4j, how it affects the software supply chain security, and how SBOM helps identify and mitigate threats.

What Is Log4j Vulnerability, and How Does It Affect the Software Supply Chain Security?

It is a security flaw in the Log4j Java logging utility that is a part of the Apache Logging Services. The issue in question has been termed Log4Shell and given the identifier CVE-2021-44228.

CVSS allotted the Log4j vulnerability the highest threat score possible (10.0) because of the widespread damage it causes, the total number of systems it compromises, and the ease with which an attacker can exploit a network.

Log4j Vulnerability Impact

When a software component has a vulnerable version of Log4j, it impacts the security of the software supply chain by posing as an entry point for attackers.

As per CVE, since attackers can send malicious input data using a JNDI lookup pattern, it is common to witness information leaks, remote code execution in some environments, and local code execution in all environments. This fallout from the log4j vulnerability gives rise to other attacks, such as ransomware and Denial of Service Attacks.

Additionally, an application uses various interconnected dependencies, components, and APIs. If the application consists of a vulnerable Log4j version, it can spread to other dependent software components. It will result in several vulnerabilities across multiple systems and applications.

It is vital to have visibility into all components used in application development to prevent this threat. It is where SBOM (Software Bill of Materials) enters the big screen.

SBOM (Software Bill of Materials) and Vulnerability Detection

SBOM is a list of components, third-party dependencies, and libraries used in developing an application. It plays a vital role in preventing security incidents and protecting digital assets in several ways:

1) Prevents Security Incidents

SBOM provides 360° visibility into various software components used in an application, their versions, and the licenses governing them.

Organizations can rapidly and correctly track down exactly where the security flaw is and apply patches or updates when they identify vulnerabilities. It helps prevent attackers from exploiting known vulnerabilities and reduces the risk of security incidents.

For instance, in the case of Log4j, SBOM will document that an organization depends on the vulnerability and that Log4j needs immediate patching to prevent attackers from exploiting Log4Shell.

2) Supply Chain Security

SBOMs assist organizations with keeping track of the supply chain and origin of third-party components, verifying their integrity and security, reviewing their licensing terms, and identifying and addressing any potential security attacks that originate from third-party sources.

Some Common FAQs

What Does Log4j Do?

Log4j is a Java-based logging utility that logs messages within the software and provides detailed insight into software execution. It also allows the developers to record application events, track application behavior, identify errors, and monitor performance.

How to Detect Log4j Vulnerability?

Employ SBOM, such as that provided by Appknox, and detect Log4j Vulnerability by understanding the entire attack surface of the application. It ensures compliance with OWASP Cyclone DX, identifies old versions, and assists in updating or replacing them. Thus improves the application security of the application.

What is the Software Bill of Materials (SBOM)?

A Software Bill of Materials (SBOM) is an inventory of all the open-source and third-party components used while building and delivering an application. It also provides visibility into the internal components, licenses, versions, and patch status. It helps organizations decipher the part which could be at a potential security or license risk.

With log4j attacks being so prevalent, the use of SBOM has increasingly become crucial in organizations. The plus point is SBOM’s ability to create an application inventory so that when a security incident like Log4j happens, you have a reference that answers questions like: