On Thursday, December 9, 2021, a severe vulnerability was discovered that has a devastating effect on systems across the internet. The severity of this particular vulnerability is rated 10/10, the highest known to memory. This means that hackers can remotely obtain unauthorised full access to the vulnerable system with zero user interaction.
What’s the issue?
A vulnerability was found in Log4j, an open-source logging library commonly used by apps and services across the internet. If left unfixed, attackers can break into systems, steal passwords and logins, extract data, and infect networks with malicious software.
Log4j is used worldwide across software applications and online services, and the vulnerability requires very little expertise to exploit. This makes Log4shell potentially the most severe computer vulnerability in years.
Who is affected by this?
Almost all software will have some form of ability to log (for development, operational and security purposes), and Log4j is a very common component used for this.
For individuals, Log4j is almost certainly part of the devices and services you use online every day. The best thing you can do to protect yourself is make sure your devices and apps are as up to date as possible and continue to update them regularly, particularly over the next few weeks.
For organisations, it may not be immediately clear that your web servers, web applications, network devices and other software and hardware use Log4j. This makes it all the more critical for every organisation to pay attention to our advice, and that of your software vendors, and make necessary mitigations.
What if …
… I know we are using Log4j in applications developed in house?
Update to version 2.16.0 or later.
… I know Log4j is present in applications supplied by a third party?
Keep any such products updated to the latest version. More products may release patches over the next few days and weeks, and so organisations should make sure they’re checking for updates regularly.
… I don’t know if anything we use is using Log4j?
Ask your in-house developers and/or third-party suppliers. We have asked that developers of affected software communicate promptly with their customers to enable them to apply available mitigations or install updates. In turn, you should act promptly on any such communications from developers.
What else can we do?
Check your systems for the use of Log4j
Check the list of vulnerable software