Even tech giants from Silicon Valley like Amazon, Apple, Google, Twitter and enterprise software vendors, such as Atlassian, RedHat and VMWare, have been found exploitable via the log4j vulnerability. This is why the vulnerability scored 10 out of 10 in the CVSS rating system, which emphasizes how critical that vulnerability is. The impact is increased by the fact that an attack can be conducted with a low skill level.
Designing for Enhanced Security
At 21 Analytics, we use the programming language Rust, which is memory-safe without relying on garbage collection. To mitigate potential RCE attacks like the one facilitated by the log4j vulnerability, we statically link all dependencies into our final executables. This enables us to run those executables in an empty container, which isolates the execution environment of a process. If an attacker successfully gains code execution, she finds herself in an empty container containing solely the executable she was able to attack.
There is no user data, shell or other means the attacker can utilize to complete her exploitation chain. This security-in-depth approach virtually eliminates the possibility of a successful complete takeover of vulnerable systems and protects sensitive user data.
To further reduce the attack surface, we use link time optimization (LTO) which strips off unused functionality from statically linked libraries.
21 Analytics customers are VASPs that protect their user's private data and take security seriously. Contact us to join the ecosystem of secure and privacy-guarding VASP networks.