Log4j Vulnerability
What is Log4j?
Software developers use the Log4j framework to record user activity and the behavior of applications for subsequent review. Distributed free by the nonprofit Apache Software Foundation, Log4j has been downloaded millions of times and is among the most widely used tools to collect information across corporate computer networks, websites and applications. The software is maintained by Apache volunteers, five of whom have worked around the clock in recent days to release security updates.
What is Log4Shell?
Version 2.15 and earlier of the log4j library is vulnerable to the remote code execution (RCE) vulnerability described in CVE-2021-44228. (Version 2.16 of log4j patches the vulnerability.) Log4Shell is the name given to the exploit of this vulnerability. But what is the vulnerability and why is it so critical? As described in the CVE, the Apache log4j Java library does not properly validate input.
How can hackers take advantage of Log4j vulnerability?
The Log4j flaw, disclosed by Apache last week, allows attackers to execute code remotely on a target computer, meaning that they can steal data, install malware or take control. Some cybercriminals have installed software that uses a hacked system to mine cryptocurrency, while others have developed malware that allows attackers to hijack computers for large-scale assaults on internet infrastructure.
"To be clear, this vulnerability poses a severe risk," said Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency, in a statement issued Sunday.
How can companies fix the Log4j problem?
CISA suggests immediately identifying internet-facing devices that have Log4j and ensuring your security team responds to alerts related to these devices. Also, install a web application firewall with rules that automatically update so that your team can concentrate on fewer alerts.
Some patches and technical guidance are available. The Apache organization has released multiple updates in recent days and advised upgrading to the latest version of the Log4j tool.
No comments: