Log4J vulnerability: What it is and what to do about it
There have been some interesting developments in the security world over the last few days which we wanted to make you aware of. A recent vulnerability was published in a Java based log processing tool (Log4J or Log4Shell) which has been assigned the highest severity rating.
This vulnerability was detected in November by the Alibaba Security Team and shared with the vendor, Apache Foundation. Since then, they have both worked to fix the issue before it became public knowledge.
Why is the rate so high?
This vulnerability allows Remote Code Execution (RCE), this means the bad guys can potentially trick apps into running malicious code on those systems.
What does this mean for me?
Unfortunately, the Java Log4j tool is used in a huge number of applications globally, including MineCraft, Apple iCloud and Amazon Web Services (AWS). Generally, cloud service providers have already mitigated or patched this issue, but it is highly likely that on-premise applications are still vulnerable.
What happens next?
We recommend your internal IT team(s) contact your application vendors to confirm if any of the tools they provide you are affected. Whilst it is likely that your application vendors will contact you directly to advise you if you are affected, many are still investigating their products so no news may not equal good news.
As an example, we are aware that Unifi Controllers are affected and that Ubiquity has released a patch as part of the latest version of their controller software.
If you need help implementing any patches or changes advised by your vendors please feel free to reach out to us at security@select-technology.co.uk
It is certain that in the upcoming days and weeks you will start to see your devices and computers start to ask you to perform updates, also known as patching, and it is vital that you perform these as soon as possible.
Would you like to know more about the Log4J vulnerability?
- www.ncsc.gov.uk/news/apache-log4j-vulnerability
- www.secplicity.org/2021/12/10/critical-rce-vulnerability-in-log4js/
- www.cygenta.co.uk/post/log4shell-in-simple-terms
- www.theregister.com/2021/12/13/log4j_rce_latest/