Critical Apache Log4j Vulnerability – What You Need to Know
Last week, a critical vulnerability dubbed Log4Shell, was found in Apache’s Log4j logging tool and is currently affecting millions of devices around the world. Log4j is a logging library that is widely used across many different services and devices and is likely a lot more common than you think.
Successful exploitation of this vulnerability could allow an unauthenticated attacker to execute arbitrary code remotely. Proof-of-concept code has now been released for this vulnerability and it is being actively exploited in the wild; if left unpatched, the risk of compromise is very high, and could open the way for a number of attacks, such as credential theft, data extraction, ransomware or infection of the rest of your network.
The initial vulnerability CVE 2021-44228 has been rated with a base CVSS score of 10.0, which is the highest / most critical score available when rating vulnerabilities.
Be aware that further vulnerabilities have been found since the initial advisory and its now recommended to ensure Log4j is running updated version 2.16.0.
Does This Affect Me?
Many organisations and individuals may not even know that they are using Log4j, as it is simply a component used in different types of software; but it is almost a guarantee that most users are using it somewhere on their devices or in online services. The majority of users being unaware of the risks posed by this flaw, makes it even more severe, so spreading awareness of it is very important.
Generally, we recommend applying the latest updates as soon as possible, and continue to apply future patches as soon as they are made available.
As for organisations, understanding where Log4j may be present is essential; we strongly advise you try to discover all instances of Log4j within your organisation and ensure that patches are applied everywhere, as soon as they become available.
Lists of affected components, apps and vendors have been published on GitHub, which may assist in identifying instances of Log4j. These lists can be found here; please consult the advisory section below for a list of other associated and useful resources.
Advisories and Resources
Here are some resources and advisories to help you understand this vulnerability. As new information is released, we will update this section and try to provide a timeline of events and updates, including any changes to advisories and recommendations as vendors begin to fix their products and provide updates.
Apache Log4j Security Vulnerability Fixes | 13th December 2021
Log4j Vulnerability – What Everyone Needs to Know | 14th December 2021
Cisco Talos Threat Advisory | 15th December 2021
CISA List of Affected Systems | 16th December 2021
Log4Shell Spotted Spreading Ransomware | 14th December 2021
State Actors Exploiting Log4Shell | 15th December 2021
Exploitation of Second Log4j Vulnerability Begins | 15th December 2021
Log4Shell Exploits Used in Attacks Targeting Ubiquiti Network Appliances | 31st January 2022
UniFi Network Application 6.5.54 Includes Log4j Fix – Addresses Exploit Used in Above Attacks
Ironshare – Security Simplified