Log4j vulnerability - what you needs to know

8 days ago a new critical?Log4j?vulnerability was disclosed:?Log4Shell.

Log4shell?is a critical vulnerability in the widely-used logging tool?Log4j, which is used by millions of computers worldwide running online services. A wide range of people, including organisations, governments and individuals are likely to be affected by it. Although fixes are available it could take time to test properly and implement.

What is Log4j?

Modern software can be large, powerful, and complex. Rather than a single author writing all the code themselves as was common decades ago, modern software creation will have large teams, and that software is increasingly made out of ‘building blocks’ pulled together by the team rather than entirely written from scratch.

A team is unlikely to spend weeks writing new code when they can use existing code immediately.

Log4j is one of the many building blocks that are used in the creation of modern software. It is used by many organisations to do a common but vital job. We call this a ‘software library’.

What uses Log4j?

Log4j is used by developers to keep track of what happens in their software applications or online services. It’s basically a huge journal of the activity of a system or application. This activity is called ‘logging’ and it’s used by developers to keep an eye out for problems for users.

Also Log4j is extensively used across vendors, open source projects, frameworks and top-level foundation projects. In addition to the millions of Java applications using Log4j, many of the Apache Software Foundation’s own projects are making use of Log4j themselves, such as Apache Solr, Apache Struts2, Apache Kafka, Apache Druid, Apache Flink, Apache Swift and others.

Is Log4j vulnerable?

Yes. All versions of Log4j starting at 2.0-beta9 up to 2.14.1 are impacted by the Log4Shell vulnerability. It’s a critical vulnerability that requires urgent action. This vulnerability can lead to remote code execution (RCE) attacks.

What’s the issue?

Last week, a vulnerability was found in?Log4j, an open-source logging library commonly used by apps and services across the internet. If left unfixed, attackers can break into systems, steal passwords and logins, extract data, and infect networks with malicious software.

Log4j is used worldwide across software applications and online services, and the vulnerability requires very little expertise to exploit. This makes Log4shell potentially the most severe computer vulnerability in years.

Who is affected by this?

Almost all software will have some form of ability to log (for development, operational and security purposes), and Log4j is a very common component used for this.

For?individuals, Log4j is almost certainly part of the devices and services you use online every day. The best thing you can do to protect yourself is?make sure your devices and apps are as up to date as possible?and continue to update them regularly, particularly over the next few weeks.

For?organisations, it may not be immediately clear that your web servers, web applications, network devices and other software and hardware use Log4j. This makes it all the more critical for every organisation to?pay attention to our advice, and that of your software vendors, and make necessary mitigations.

How to fix the Log4j vulnerability?

The easiest way to remediate this is to update to Log4j version 2.16.0 or later