On December 14th, 2021, Chen Zhaojun of the Alibaba Cloud Security Team, discovered a vulnerability that impacts Apache Log4j 2 versions 2.0 to 2.14.1. This “vulnerability allows for unauthenticated remote code execution” and is of particular concern to any market researcher maintaining the integrity, confidentiality, and availability of Personally Identifiable Information (PII) of survey participants.
Log4j 2 is an open-source Java logging library developed by the Apache Foundation. It is a commonly used piece of software that, in short, will execute any code that it sees, even if it is malicious. That means that malicious code placed into a survey response, in theory, could execute on the host computer and infect it without anyone even clicking on it.
Google estimates that “More than 35,000 Java packages, amounting to over 8% of the Maven Central repository (the most significant Java package repository), have been impacted by the recently disclosed log4j vulnerabilities”. Since it is OSS, many developers have blindly trusted that the software was safe and secure. Well, “surprise!” It is not. So, what can market researchers do to mitigate this risk? Security magazine lists these three steps:
First, determine if any of your software, or software you use, has log4j installed. This simple inventory should allow you to better understand if you are exposed to this potential vulnerability, or if one of your vendors is exposing your systems to a hacking threat.
Second, if you are exposed to this threat, make sure you are notified for each alert that falls into the log4j category. Until all exposures to log4j are fully patched, security teams should make sure they monitor their exposure to this threat.
Third, install a firewall to make sure your organization is separated from the log4j threat. Quarantining the vulnerability until a patch or alternative solution is installed may be the best way to mitigate the threat.
Take a moment to review your software with your market research team to make sure you are carefully protecting the confidentiality, integrity, and availability of your survey respondent’s PII. For more information please review the Clear Seas Data Security page.