The Log4j vulnerability: Guidance for Nephila Web customers and Moodle users in general

The Log4j vulnerability: Guidance for Nephila Web customers and Moodle users in general

In this article:

  • What is the Log4j vulnerability?
  • Why it does not affect Nephila Web customers
  • What you should know about cybersecurity and Nephila Web
  • Why Open Source is safest?
  • Call to action

We have received a large number of questions and concerns regarding the recently disclosed Log4j vulnerability. While this vulnerability does not have any impact on Nephila Web’ clients and systems, we want to take the opportunity to educate and explain what these vulnerabilities are, how they work and how at Nephila Web and Moodle we enforce consistent security practices that are the standard of the industry worldwide.

So what is the Log4j vulnerability?

The Log4j vulnerability, also known as Log4Shell or LogJam, is a flaw in the Log4j utility implemented in software written using the Java programming language, that allows unauthorized parties to gain higher level permission and execute code at will.

Log4j is an open source project, currently maintained by the Apache Software Foundation which is dedicated to support some of the most popular open source initiatives, many of which are used in the administration and management of Moodle sites. Log4j offers logging functionalities, which play an important role in practices and tasks such as resource management, diagnostics and troubleshooting.

The Log4j vulnerability is known to exist since 2013, but only last year Apache was notified of its existence by Chen Zhaojun, an engineer at Alibaba Cloud’s security team. Following the common procedure, Apache disclosed the vulnerability publicly on December 9 last year by submitting it on the National Vulnerabilities Database, run by the U.S. National Institute of Standards and Technology, with entry CVE-2021-44228.

The global cybersecurity community acted swiftly, developing patches and spreading it far, wide and quick. While there was some news of major websites affected —apparently with the help of state-level resources—, for the most part attacks were averted, with a few reports of attacks thwarted as they happened. There is, however, a possibility that some attacks had been successful but not yet materialized, if the malicious actor has obtained access but is waiting until it reaps the rewards; or if an affected company has decided to keep any news of an attack private.

An updated list of affected vendors and software is available here. While sources are linked, we do not abide by its reliability as it is user-generated.

Governments around the world have urged companies to patch their systems, with ultimatums —and even threats of fines or pursuit of other civil liabilities— including the U.S. Federal Trade Commission.

We will continue to monitor incidents to act promptly and accordingly.

How is the Log4j vulnerability affecting Nephila Web’s systems?

Since the Log4j vulnerability applies to software written in the Java programming language, which is not commonly used by EdTech applications or dependencies, there has not been any known reports of successful attacks to any Moodle sites.

For Nephila Web, there have been no impacted customers nor Moodle instances managed by us, as none of our systems use the Java programming language to any meaningful capacity.

Moodle is a PHP-based software, meaning Log4Shell cannot affect Moodle’s core. However, Moodle systems not run by us may rely on Java-based software who implements Log4j, therefore being vulnerable if they haven’t received the appropriate patches. One example is LMS run through virtual environments, among which VMWare is one of the most popular tools. VMWare is written in Java, and has released an advisory urging users to upgrade to a patched version.

Moodle plugins and third-party integrations may have components written in Java. A popular example is the Solr global search functionality available for Moodle. Users of Solr are urged to patch their systems immediately. We can report that none of the Moodle sites managed by Nephila Web use the Solr utility.

Users of Microsoft Azure cloud services should consult this official resource.

It is still possible that for clients who host their Moodle platform serviced by us on their own server or cloud instance, interconnected third party software written in Java may require patching. If you believe this is a possibility, we encourage you to reach out to the provider of the third-party software in question. If you need further assistance, we would be delighted to provide our detailed server diagnostics process, which is part of our consulting services.

As a Nephila Web client, you may have engineering credits or hours as part of your plan so we can perform the diagnostics at no additional cost. Please reach out to your Nephila Web representative for inquiries.

What the Nephila Web and Moodle communities should be aware of regarding the Log4j vulnerability

The Log4j vulnerability was one of the most widely reported security issues in 2021, but not necessarily the most critical or dangerous. With many patches available, the most straightforward way to fix it is to make sure the system is updated to Apache Log4j 2.15.0 or higher. (Please note that any Log4j 1.x version is vulnerable and unsupported since 2015.)

Given the prominence of Log4j among Java software, itself a still popular language, this vulnerability might have been the most widespread in recent years. Log4j is also used by thousands of Java utilities, meaning a Java developer may be using Log4j some levels deep without realizing it.

The number of cybersecurity incidents continues to rise over the years, which does not necessarily correspond to a growing number of vulnerabilities. Instead, most of the known incidents are related to security protocols that are present in the software, but aren’t activated —like this teenager who managed to hack a Tesla vehicle— or tricking humans into handing over access to secure systems, a practice known as “social engineering.”

Is open-source software safe?

Log4j is an open source library used by countless organizations and tools, including giants like Microsoft, Cisco and Oracle. If you have seen news in the past about similar vulnerabilities, chances are that most of the news, if not all, are related to open source software. But this should not lead you to conclude that open source software is any less safe compared with the proprietary or commercial variety.

There are two reasons why we encounter this bias in the reporting:

  • Open source is more widely used than proprietary software. In the case of utilities like Log4j, the difference can be several orders of magnitude larger. Any similar vulnerability on a commercial provider will affect a fraction of a percentage of users compared to open source.
  • Open source has a built-in incentive to openly disclose vulnerabilities to the global community. For large systems like Moodle, there are several thousand engineers and researchers actively monitoring the security and integrity of the platform. Unfortunately, this is not the case with commercial enterprises. Disclosing software failures often conflict with short-term, market based or profit-oriented interests. With Moodle, disclosure always works to the benefit of everyone.

In any case, it is common to expect a deep level of collaboration when it comes to security, including proprietary vendors. But since collaboration is inherent to the values of open source, even large software providers like Google —and its open source security rewards program—, Facebook, Amazon and even Microsoft today, are important adopters and promoters of open source technologies, security being one of the main reasons behind their support.

Conclusion

Cybersecurity is a growing area of attention, given our increasing interdependence with connected devices. But this should not be cause for constant alarm or anxiety. A security-minded technology partner like Nephila Web can help you develop and implement common-sense practices for both your LMS platform and infrastructure, as well as your people and organizational culture.

We can help you ensure that:

  • The systems you rely on to manage and deliver world-class elearning are always compliant and up-to-date regarding security, and monitored 24/7;
  • The infrastructure and scheme of user access and permissions provides tight control and oversight of actions performed on the system, in a simple and clear way;
  • Good user practices related to security, privacy, and data hygiene are encouraged and rewarded.

If you would like to know more, you are welcome to get in touch with us. Contact us or request a meeting at [email protected] or (MOBILE) 0917-621-5229