Cybersecurity insights

Exposing Vulnerabilities

Amit Shah is the director of product marketing at Dynatrace and one of the guys who discovered the Log4j vulnerability early on. Shah has participated with product marketing teams at places like Splunk and PayPal after graduating from UC Berkeley with an undergrad in electrical engineering and computer science and earning an MBA from Cornell. Today’s episode dives into vulnerabilities.

Log4Shell is a software vulnerability and Apache Log4j 2, a popular and well-known Java library for logging error messages in applications. It’s a known vulnerability with a severity rating of 10. Several patches had been released by the time it was discovered, one of which didn’t work so well. What makes it so dangerous is it’s virtually everywhere and runs on Amazon Web Services all the way to VMware with a whole host of dependencies among affected platforms and services that makes patching a nightmare.

It gives attackers complete control over any internet-connected service that uses the Log4j library anywhere in the software stack. Shah weighs in on how he discovered it and what he does to deal with it:

We were able to find out within minutes of the discovery of the vulnerability and it had been published in the vulnerability database, where all it was within our own environments being the software as a service (SaaS) environment that we provide to our customers. We were able to use the information from there to patch it within a couple of hours and prioritize where all it is, which instances of it need to be fixed immediately versus which ones are in parts of the application that are not necessarily easily accessible from the internet or don’t have access to sensitive data and could wait a day or two in order to be patched.

In this episode of Cybersecurity Unplugged, Shah also discusses:

  • The questions that arise from the Log4j vulnerability;
  • Challenges around the proper configuration and software supply chain;
  • The exposure of energy companies having power supply disruptions for millions of customers;
  • The need for cybersecurity education.