BSI warns: Log4J remains a problem

Even more than two years after the first problems with Log4j became known, many scenarios are apparently still running unpatched versions of the logging library.

Greenbone’s products help – especially in detecting outdated software.

No one should take Log4j lightly as a done deal just because the vulnerability (CVE 2021-44228) has actually been fixed for a year and a half. That is the conclusion of an event at the end of March in which the German Federal Office for Information Security (BSI) issued an urgent warning. The vulnerability affected Log4j versions 2.0 to 2.14.1 and allowed attackers to execute their own programme code on target systems and compromise third-party servers. Greenbone’s products have detected the Log4j vulnerabilities since December 2021 and can therefore warn administrators.

Under the title “Log4j & Consequences” in the series “BuntesBugBounty“, the BSI spoke with Christian Grobmeier from the Log4j team and Brian Behlendorf from the Open Source Security Foundation (OpenSSF). Shockingly, more than a third of the downloads on the Log4j website still add up to outdated versions that do not contain the important patch – it can be assumed that numerous systems in companies are still vulnerable.

This is mainly due to third-party software that Log4j embeds or integrates via software distribution – which is not at all surprising to Grobmeier, because that is how the supply chain works with open-source software. According to the Log4J developer, nothing can be changed in the near future.

This is also confirmed by the Open SSF: for Behlendorf, only stricter liability for software producers could be helpful, as is already being considered in the USA. Without fundamentally new approaches, the problems are unlikely to change.

Those who nevertheless want to protect themselves permanently against attacks on known vulnerabilities that have already been patched should take a look at Greenbone’s products. Only professional vulnerability management gives administrators an overview of outdated software versions and unpatched gaps in the company’s systems – and thus creates the basis for further security measures.

The development of vulnerability tests is a key activity at Greenbone and a continuous process that ensures the high quality of the products and thus the high benefit for customers. Security checks are carried out every day and vulnerability tests are developed and integrated into the products daily as well, prioritized by the security situation. In the case of critical security warnings, as with Log4j, Greenbone reports on the current status, the facts and how to deal with them, for example in the blog posts about Log4j.