Log4j, an open-source software logging library of Java, was recently exploited by malicious attackers, putting zillions of sensitive data at risk. The vulnerability in the system allowed attackers to remotely access and execute arbitrary code, making some of the crucial enterprise platforms weak and exposed to gruesome threats. Unfortunately, the flawed log4j worm is still alive, raising concerns among business groups.
How serious is the Log4j issue?
Since Log4j is widely used by businesses and web portals, the newly found flaw can cause irreversible damage to several firms, including fintech companies. Meaning, through log4j, threat actors can access sensitive data of the clients and customers.
Computer Emergency Response Team (CERT) has reported that around 17,000 (4% of total) packages in the Java ecosystem have been affected by the log4j vulnerability.
Earlier this month, the news of log4j vulnerability broke out, and it caught the Java-based platforms off guard. As log4j exposed the insecure JNDI lookups feature, a Vietnamese fintech firm was exploited, compromising their sensitive data. Moreover, attackers threatened the firm to publish customer data should the company refuse to comply. Several such firms are reporting to have become a victim of the flawed Log4j libraries and attacked data.
Can security analysts fix the log4j flaws and mitigate associated risks?
It has proven challenging to fix because many of the affected artifacts have transitive dependencies running into multiple levels. In such cases, all levels of the tree would require patches.
At present, the security analysts have built resources indexing possibly weak and exposed systems. With this, the leaders are reworking the systems & libraries to ensure the end-to-end security of the platforms. Despite the preventive measures being taken, exposure to the unlisted vulnerable systems can not be denied.
The log4j flaw can affect enterprise applications, embedded systems and their sub-components. And for non-Java-based platforms and software solutions, the security community has not yet included vendors or cloud hosting providers to the list.
The Apache Software Foundation has come up with fresh patches that restrain the flaw and mitigate possible abuse of sensitive data. It is seen as a hope to recover the data injuries and vulnerabilities.
Data Security at WealthDesk
At WealthDesk, we take security extremely seriously. As soon as news of the vulnerability broke, our engineering team pro-actively started assessing the impact. Unlike many other Java-based fintech platforms which became a victim to the log4j flaw, WealthDesk has not recorded any breach or exploitation.
Most importantly, as a cloud-based business, all our Java-based AWS lambdas use managed runtimes, and AWS has already taken care of mitigating this issue.
When it comes to our other Java-based services, we have no direct dependencies since we don’t currently use any artifacts using log4j builds 2.15.0 or 2.16.0, which are the builds that have been affected by the latest vulnerabilities.
We have also checked our indirect dependencies, and as a precautionary measure we upgraded them to use version 2.17.0 which is presently known to be free of all vulnerabilities.
Moving ahead:
WealthDesk acknowledges the crucial data and sensitivity involved in fintech businesses. A tiny error in the security system and it can cause a consequential data breach! Hence, the WealthDesk security team always takes preventive measures on software artifacts and cloud infrastructure to safeguard the platform from potential vulnerabilities and malicious activities.
We at WealthDesk continue to remain vigilant and will follow best-in-class security measures at all times to ensure none of our systems are compromised by such vulnerabilities.
