10 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
9.3 High
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
On December 9, 2021, a critical zero-day vulnerability affecting Apache’s Log4j2 library, a Java-based logging utility, was disclosed to the world. This was no small announcement. As the third most used computer language, Java is practically ubiquitous. Its Log4j2 library is extremely popular. Billions of devices around the globe currently run Java. Most enterprises likely have multiple versions of it running throughout their computing systems.
This new weakness discovered in Java was soon given a name: Log4Shell. In the cybersecurity hall of fame – one that includes nasty past exploits like HeartBleed, WannaCry, and ShellShock – Log4Shell was found to be in a league all its own. Difficult to locate but easy to exploit, it was clear that this vulnerability would have a massive impact across nearly every industry… hitting only two weeks before the holidays.
It didn’t take very long for this critical Java vulnerability to be exploited in the wild. Nearly 1 million attack attempts were launched in just 72 hours following the Log4Shell vulnerability's disclosure.
There was no time to waste. The bad guys didn’t care that it was the holiday season. With many companies preparing to operate with skeleton IT staffing during the final two weeks of 2021, hackers and attackers saw an opportunity. The race was on.
Qualys was among the first industry players to analyze the threat and develop effective countermeasures to mitigate this dangerous new vulnerability. Our Qualys Cloud Platform is a unified cybersecurity and compliance solution comprised of a suite of specialized cloud apps that help global enterprises manage their vulnerabilities, threats, and exploits.
We’ve indexed more than 10 trillion datapoints across our installed enterprise customer base and completed 6 billion IP scans per year with 75 million cloud agents deployed in hybrid IT environments globally. With that kind of scale, Qualys occupies a unique vantage point capable of ferreting out Log4Shell wherever it hides.
Quickly identify Log4Shell vulnerabilities using our cloud platform
Qualys Research Team analyzed anonymized security data across the networks of global enterprises using Qualys Cloud Platform. By examining how and where the Log4j2 library was implemented across organizations worldwide, we were able to provide the following insights on Log4Shell’s impact within a month of its disclosure.
Here’s a window into how the world’s enterprises responded.
Within 24 hours, the Qualys Research Team had published its findings and launched a Log4Shell resource center to keep the industry updated. We released over 70 vulnerability detections and continued to release more as vendors released patches for their vulnerabilities. We hosted a series of webcasts for customers and non-customers alike on the steps we recommended for remediation.
Given the ubiquity of Log4Shell, we realized that having more enterprises detect it quicker would benefit the entire cybersecurity community. With this in mind, Qualys developed a new open source Log4j scanning utility to save security teams valuable time. To help enterprises quickly detect and remediate these vulnerabilities we offered complimentary access to our unified security and compliance platform for 30 days.
Quickly identify Log4Shell vulnerabilities using our cloud platform
Thankfully, critical vulnerabilities as severe as Log4Shell are a rare occurrence. However, the future discovery of another weakness just as bad (or worse) is inevitable. That’s why all enterprises, large and small, are well advised to invest in a best-in-class platform solution that can aid security operations, IT asset management, vulnerability detection and response, cloud security, EDR/XDR, and web app protection. CxOs should make sure that their security and IT Ops teams have a unified view of the organization’s risk posture. Real-time threat intelligence like that from the Qualys knowledgebase helps enterprises to continuously assess, monitor and report on the latest and greatest security threats so that, when “next time” inevitably arrives, we’ll be ready.
10 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
9.3 High
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C