Inyova’s short monthly newsletter about security recommendations, news, and interesting facts.
This is an internal newsletter sent to the Inyova team each month. We hope you enjoy it as much as we do!
Today’s topic: Cyber pandemic log4Shell
Sweet servers intro
Servers have a great memory and computing power, they provide data and services to other computers (aka clients) in their network. And of course, they reject offering their data and services to unauthorised entities.
All the activity that happens on servers is being tracked – logged. Thanks to that professionals can spot any interactions, behaviour, issues, cyber-security attacks, and more. For logging, they often use a well-known, widespread library – Log4j.
What happened?
On December 10, 2021, NVD published a 0-day vulnerability in java-based library Log4j. The vulnerability got the name Log4Shell.
News and blogs call the event a cyber-pandemic as Log4j is widely spread and the vulnerability is easy to exploit. The criticality was set to 10/10.
How Log4Shell works
Long story short, an attacker can pass a request to a server, the server logs the request, and the vulnerability allows it to run the malicious code.
Once that happens, the attacker opens a door to the server and can continue with any further attacks. All this is done remotely, without any authentication or authorisation.
So to recap, anyone that is using this affected version of Log4j can have a server with all stored data under attack and stolen? — Yes. And the list of affected companies is pretty long.
What should I do?
As users, we cannot easily find out which concrete platform or app is using the affected version of Log4j. But, all players affected by Log4Shell immediately started releasing patches (fixes and workarounds).
Today, 1 month after the attack, we can assume that most of the big internet players have already released a stable and secure version of their product. Hence, the best shot is to update all your software.
What should companies do?
Inyova has verified that our setup is not affected by the Log4j vulnerability. The same approach should be taken by all other companies to minimise the impact of any future attacks.
That’s it! Keep your mechanics safe and thanks for reading.
Sources: https://nvd.nist.gov/vuln/detail/CVE-2021-44228
https://hackernoon.com/the-critical-log4j-java-vulnerability-how-to-detect-and-mitigate-it
https://engineerworkshop.com/blog/log4j-determine-server-affected-log4shell-vulnerability/
Advertising notice: The information and evaluations presented here are an advertising announcement which has not been prepared in accordance with legal provisions promoting the independence of financial analyses and is not subject to any prohibition of trading following the dissemination of financial analyses. The acquisition of this investment involves considerable risks and may lead to the complete loss of the invested assets. Inyova receives an all-inclusive fee of 0.9 - 1.2 & p.a. for its services, depending on the amount of assets under management. The exact calculation can be found at www.inyova.de/en/fees.
Risk notice: All information is only intended to support your independent investment decision and does not represent a recommendation by Inyova. The product information and calculation examples presented do not claim to be complete or correct. Only the specifications in the asset management contract incl. the further legal documents, which are made available to customers of Inyova via the complete customer documentation, are authoritative. Please read the asset management contract and the other client documents carefully before making an investment decision. The following applies to all shares and ETFs: Past performance is no guarantee of future performance. Information on past performance does not permit forecasts for the future. Investments in securities include the risk of a loss in value. Other securities services may achieve different results. The results for individually managed portfolios as well as the different time full stops may differ due to market conditions, different entry times, different portfolio sizes, individual restrictions and the respective composition of the portfolio.
Disclaimer: Past performance of financial markets and instruments is never an indicator of future performance. The statements or information contained in this document do not constitute a recommendation, offer, or solicitation to buy or sell any security or financial instrument. Inyova GmbH assumes no liability whatsoever with regard to the reliability and completeness of the information contained in this article. Liability claims regarding damage caused by the use of any information provided, including any kind of information which is incomplete or incorrect, will therefore be rejected. Furthermore, the statements contained in this document reflect an assessment at the time of publication and are subject to change. References and links to third party websites are outside the responsibility of Inyova GmbH. Any responsibility for such websites is declined.
EU Sustainable Finance Regulation: the terms and categories from this post do not correspond to the terms and categories of the EU Sustainable Finance Regulation. You can find the disclosures and explanations required under the EU Sustainable Finance Regulation at https://inyova.de/en/sustainable-finance-disclosure-regulation..