Log4j is a Java framework used by developers to log activity in their software applications. Instead of reinventing a logging component each time they build new software, developers can use existing open-source frameworks like Log4j to save time and effort. The tool is used by millions of developers worldwide, spanning businesses, governments and more.
What is the Log4j vulnerability?
On December 9, an acute remote code execution (RCE) vulnerability was reported in the Apache logging package Log4j 2 versions 2.14.1 and below. This meant that when the framework was used to log a line of malicious code, Log4j would actually execute the code.
Effectively, this left Java-based servers vulnerable to malicious users, potentially allowing attackers access to systems, with the ability to steal passwords and logins, obtain data, and infect networks with malicious software.
Who is impacted?
Log4j is widely used in application logging, with over 400,000 downloads on its GitHub project. Tech giants such as Google and Microsoft were initially affected, as well as everything from software sellers like Salesforce down to TVs connected to the internet.
Is the vulnerability being fixed?
Google reported that as of December 17, nearly 5,000 of the affected 35,863 artifacts had been fixed, stating: “an artifact affected by Log4j is considered fixed if it has updated to 2.16.0 or removed its dependency on Log4j altogether.” The blog also stated that this represented a mammoth response: "both by the Log4j maintainers and the wider community of open source consumers."
How can I mitigate the risk to my business?
As a first step, ensure that your in-house developers or third-party providers update any applications developed using Log4j to the latest version, which is currently Log4j 2.17.0.
To exploit this vulnerability, attackers have to deliver malicious code to a service running Log4j.
The Washington Post stated: “Phishing emails — those messages that try to trick you into clicking a link or opening an attachment — are one way to do so.”
In line with this, help your staff understand how to identify potentially malicious emails: avoid downloading attachments or clicking links from unknown sources, and check the email address each email has come from. You can read more about ways to keep business data safe in our blog post.