Last week, a critical vulnerability dubbed Log4Shell, was found in Apache’s Log4j logging tool and is currently affecting millions of devices around the world. Log4j is a logging library that is widely used across many different services and devices and is likely a lot more common than you think.
Successful exploitation of this vulnerability could allow an unauthenticated attacker to execute arbitrary code remotely. Proof-of-concept code has now been released for this vulnerability and it is being actively exploited in the wild; if left unpatched, the risk of compromise is very high, and could open the way for a number of attacks, such as credential theft, data extraction, ransomware or infection of the rest of your network.
The initial vulnerability CVE 2021-44228 has been rated with a base CVSS score of 10.0, which is the highest / most critical score available when rating vulnerabilities.
Be aware that further vulnerabilities have been found since the initial advisory and its now recommended to ensure Log4j is running updated version 2.16.0.
Many organisations and individuals may not even know that they are using Log4j, as it is simply a component used in different types of software; but it is almost a guarantee that most users are using it somewhere on their devices or in online services. The majority of users being unaware of the risks posed by this flaw, makes it even more severe, so spreading awareness of it is very important.
Generally, we recommend applying the latest updates as soon as possible, and continue to apply future patches as soon as they are made available.
As for organisations, understanding where Log4j may be present is essential; we strongly advise you try to discover all instances of Log4j within your organisation and ensure that patches are applied everywhere, as soon as they become available.
Lists of affected components, apps and vendors have been published on GitHub, which may assist in identifying instances of Log4j. These lists can be found here; please consult the advisory section below for a list of other associated and useful resources.
Here are some resources and advisories to help you understand this vulnerability. As new information is released, we will update this section and try to provide a timeline of events and updates, including any changes to advisories and recommendations as vendors begin to fix their products and provide updates.
Log4j – Apache Log4j Security Vulnerabilities
What the Log4j vulnerability is, who is affected - NCSC.GOV.UK
GitHub - cisagov/log4j-affected-db
First Log4Shell attacks spreading ransomware have been spotted - The Record by Recorded Future
Relentless Log4j Attacks Include State Actors, Possible Worm | Threatpost
Hackers Begin Exploiting Second Log4j Vulnerability as a Third Flaw Emerges (thehackernews.com)
Stuart Hare is a Technologist with a passion for helping people in all aspects of IT & Cyber Security. Stuart is the Founder of Ironshare, an Information and Cyber Security company providing consultancy and managed services.
Samuel is a Security Analyst with Ironshare, an Information and Cyber Security company providing Security consultancy and managed services.
Joshua is working as a Managed Service Lead with Ironshare, an Information and Cyber Security company providing Security consultancy and managed services.
