Chronique du CTI – The Perfect 10
Par Nareg Froundjian, avocat, administrateur du JBM responsable du CTI
Log4j security vulnerability and how organizations can navigate the legal risks associated with critical zero-days
Last update: January 14, 2021
Nareg Froundjian, Associate Attorney, Data Privacy and Cybersecurity, Deloitte Legal Canada LLP
Information security experts around the world sounded a massive alarm on December 10, 2021, following the public disclosure of the Log4J vulnerability the day before. The widespread use of the Log4j framework in enterprise software and the ease with which the vulnerability can be exploited requires immediate attention from system administrators, cybersecurity experts, communications experts, and legal counsel. This critical vulnerability exposes hundreds of millions of devices to remote infiltration without any input from the victim. It is historic.
What is the Log4j vulnerability?
Log4j is a popular Java library developed and maintained by the Apache Foundation. It is broadly adopted and commonly used in various consumer and enterprise software as a logging framework for Java. On December 10, 2021, the Apache Foundation released an emergency security update for the recently discovered Log4j vulnerability, alias CVE -2021-44228. Log4j’s ubiquity in modern software, the simplicity of executing the exploit, and its potential for devastating remote code execution earned it a 10-out-of-10 “critical” CVSS score.
How are organizations dealing with Log4j?
Upon discovery, private and public organizations took their systems offline to buy time to patch, while security agencies have been issuing continuous guidance.
The only mitigation measure is to patch to the latest version (currently, v. 2.17.1). Patching is the simple part. Identifying systems has proven to be a challenge. As affected organizations deploy patching efforts, interim protection measures should be implemented. Monitoring for post-exploit activity while patching is a better use of time and resources over the long-term than attempting to block IP addresses. Refer to the most up-to-date guidance and leverage outside help. The information security community has come together, and many are offering tools to help stem the bleeding. Remain on high alert until there is sufficient assurance that assets are enumerated, patched, and determined not compromised.
The first observed indicators of compromise (“IOC”) currently date back to December 1. IOCs that predate the initial reveal on December 9 are likelier to be genuine attack attempts and should be investigated. Affected organizations should conduct a backdated security review even if timely patches were applied.
What are the legal risks to be considered?
The Log4j vulnerability can easily be exploited to remotely execute malicious code. Actual observed examples include crypto mining and botnet activity. More recently, the exploit has been used to install Cobalt Strike, a precursor to credential theft, lateral movement within the victim’s environment, data exfiltration, and ransomware on compromised systems. These will surely follow.
The critical nature of the Log4j vulnerability requires immediate remedial action in accordance with best practices and potentially parsing your logs if it the vulnerability has gone unpatched. One has a legal obligation to act diligently to limit the impact of cyber incidents. Not responding opens the door to personal liability of the board members and executives, class action, litigation, and administrative penalties.
Potential data access, exfiltration, and ransomware
Unauthorized access into confidential systems raises privacy concerns and increases liability to victims and regulators. Obligations (e.g., prompt disclosure and notifications) may arise from privacy legislation (e.g., PIPEDA, provincial laws, GDPR), industry-specific regulation (e.g., energy, banking, finance, health), and private agreements (PCI DSS). Search for signs of compromise after patching.
Contractual obligations, covenants, and breach thereof
Taking systems offline may be a reactionary measure while assessing the reliance on Log4j, but it can result in a breach of delivery obligations or service level agreements. Contracts should be reviewed with the help of counsel and experts to consider the cost-benefit of reactionary measures. If your organization has financing or is contemplating an M&A transaction, representations and warranties may need to be updated.
Contractual rights and recourses
Review contracts with your IT or software service providers to confirm their obligation to address this vulnerability. If applicable, make sure to follow the steps to be indemnified in case of third-party claims. Review contracts with your end-users and clients to confirm your own obligations to remediate (sometime with defined timeline) and notify them as may be necessary.
Open-source and deprecated software
Reliance on open-source software raises additional legal questions. There may be no one to promptly patch Log4j (if at all) and no one to indemnify you if the vulnerability is exploited, as such software is typically provided on an “as-is” basis. More so, you may not be aware that open-source code is present in your environment, and others might discover it before you have time to patch it.
Exploit specific risks: botnet swarms and crypto mining
Organizations may find themselves missing delivery deadlines or failing to meet SLAs as computer resources are diverted for illegitimate uses, hindering employee productivity, or rendering customer-facing web services unusable. The weaponization of organizational infrastructure in a botnet swarm also poses a risk if those assets are unwittingly used in distributed denial of service attacks.
Organizations need to demonstrate they have been diligent in anticipating potential cyber incidents and mitigating their impacts. This vulnerability is an entire-business issue. Executives should ensure that the IT and security teams are dealing with this as a priority and providing regular updates once complete.
Equally, ask what help and support your teams need.
Below are some specific actions, in addition up-to-date cybersecurity guidance that should be verified routinely as the situation unfolds.
Short term recommendations
- Obtain external legal and cybersecurity advice on legal obligations, operational risks, and remedial measures.
- Balance the negligence and commercial risks associated with taking systems offline while you patch to the latest version.
- Leverage technical and procedural due diligence measures while vulnerable systems are being identified and patched.
- Make appropriate inquiries of your IT vendors or third parties with privileged access to your environment.
- Ask for external assistance if you do not have the internal capabilities to inventory assets and patch systems using Log4j in a timely manner.
Medium term recommendations
- Consider contractual obligations to immediately patch severe vulnerabilities and/or to notify other parties that may apply to you.
- Review agreements for clauses related to privacy, force majeure, representations and warranties, and choice of law and forum.
- Inventory assets in your organization’s technology environment.
To learn more
The Young Bar of Montreal organizes its annual Legal.IT event, this year taking place on March 31 and April 1, where experts discuss cybersecurity, data protection, and all kinds of fun topics like the blockchain, the metaverse, online surveillance, intellectual property rights, and more.
Sign up here and join in the fun.
Les chroniques du CTI sont rédigées par un ou plusieurs membres du Comité Technologies de l’information (CTI)
dans le but de susciter les discussions et de soulever les réflexions au sein de la communauté juridique à propos des nouvelles technologies et le droit. Les auteurs sont donc seuls responsables du contenu des articles et l’opinion qui y est véhiculée n’est pas celle du JBM, mais bien celle des auteurs. Si vous désirez rédiger une chronique, envoyez
un courriel au email@example.com.