What is the Log4j Vulnerability?
What is the Log4j vulnerability?
The Log4j vulnerability, known as CVE-2021-44228 or “Log4Shell”, affects java-based applications that use Log4j versions 2.0 – 2.14.1. The vulnerability can, in some cases, allow an attacker to run malicious code on your systems without authentication, or enable hackers to gain remote access to a business’ servers or IT systems.
“Log4Shell” is what’s known as a zero-day vulnerability, meaning it was published to the public before the relevant vendors had the chance to detect, fix and patch it.
What is Log4j?
Log4j is an open-source Java logging library developed by the Apache Foundation. It is widely used across lots of Java-based applications used on both Linux and Windows internet platforms.
The Log4j library is frequently used in enterprise Java software and is included in Apache frameworks including Apache Struts2, Apache Solr, Apache Druid, Apache Flink and Apache Swift.
Log4j is used to log information in many Java-based business applications and web apps. There’s a good chance it’s sitting in the background of your IT systems without you knowing or acknowledging it.
What can I do about the vulnerability?
Now that hackers know the vulnerability exists, there is likely to be an increase in attempts to exploit it to gain access to unpatched systems. For that reason, it’s crucially important that your environment is assessed and patched.
If your environment is managed by us, or another Managed Service Provider, it will be assessed for vulnerabilities and action will be taken in agreement with yourself.
If you manage your own environment, you will need to look at your servers and software, and apply any patches that your vendors are recommending. This may potentially include changes to the code base. If you are managing your own environment and have in-house technical capabilities, we recommend looking at this article from Sophos. https://nakedsecurity.sophos.com/2021/12/13/log4shell-explained-how-it-works-why-you-need-to-know-and-how-to-fix-it/
Our security teams are monitoring the developments around this vulnerability and minimising the impact for our managed customers. Log4Shell is a global vulnerability and the UK’s National Cyber Security Centre are posting regular updates and advice about the situation. https://www.ncsc.gov.uk/news/apache-log4j-vulnerability
We are also working closely with Microsoft on the situation and are in contact with their security teams for regular updates and advice. You can read more about it on the Microsoft Security Response Center https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2/