Security Guidance for the Apache Log4j vulnerability (CVE-2021-44228)

What’s the problem?

A critical security issue was recently discovered in the Apache Log4j open-source Java package default logging package for many services and applications.

Successful exploitation allows for a very simple remote command execution without requiring any authentication over the Internet, resulting in a complete compromise of data and system confidentiality, integrity and availability – giving this vulnerability a CVSS score of 10 (Critical).

Why should you be worried by this?

The issue is in one of the most widely used components for Java and Java VM based applications in the world.

Log4j code maybe used directly in your own code or in another component or third party piece of software that you use, so there is no easy way to figure out if you are using it in what you have live on the internet.

If Log4j is being used, attacking it just requires a simple HTTP (web) request which is really easy to do. This is why it is rated at severity 10, or ‘fix this Now!’ in lay-person’s terms.

What can you do?

We have a technical blog post here and a quick overview that you can download here too – there’s no requirement to provide anything like an email address as we want you to be as safe as possible, as quickly as possible!

If you would like to talk to us more about this, feel free to get in touch for our usual pragmatic insight and advice.

 

Twitter Twitter icon Facebook Facebook icon Pinterest Pinterest icon LinkedIn Link to LinkedIn.com