On December 9, 2021, a high severity vulnerability in the Apache Log4j library was made public. This is likely to have implications for many businesses.
Apache Log4j is a tool for logging activities in Java software. Developers and programmers use the library to record the activities of their applications and servers. For example, if an unknown user tried logging into an application, Log4j would be used to document the action, and include the time, date, username, and other information.
The vulnerability, called "Log4Shell," enables attackers to perform remote code execution against an affected asset. That means an attacker can run any code and access all data on the vulnerable application. They could delete files, encrypt data, or hold it for ransom. Anything that runs Java can be attacked.
Exploit code has already been made public, which means attacks are potentially taking place now.
Considering many companies use Java, this vulnerability most likely affects many businesses worldwide. Since the time of disclosure, many companies have released information about Log4Shell, including an overview, its impact, and most importantly, patching information needed for their systems. This includes Cisco, Palo Alto for example.
Apache has released a patch for the vulnerability, which clients should apply today.
There will be more information to follow as this develops.
Comments