Log4j Vulnerability – Critical IT Security Threat
Critical level IT system threat – Log4J / Log4Shell Vulnerability
(CVE-2021-44228) and (CVE-2021-45046)
By now you have probably heard of a CRITICAL ‘zero-day’ vulnerability dubbed ‘Log4Shell’ – this vulnerability takes advances of a flaw in a Java-based logging component called ‘Log4j’. Java and Log4j are widely used by many organisations around the world, many of which you will be familiar with such as Amazon, Papercut, Dell, Broadcom, VMWare, Cisco, and IBM. A zero-day vulnerability/attack is a flaw within a system/software that is actively being exploited by attackers before there has been time to remediate vulnerable systems.
If this security issue is exploited, it will give attackers remote access to your systems which they can use as a hopping point to other systems within your network. It is important to identify any internet-facing web applications that may be using Java as this will allow a remote attacker to gain access to your network. Firewalls and antivirus are unlikely to reduce the risk by a significant amount.
The Tailor Made team have been busy firefighting trying to assess and understand the impact of this vulnerability within our client base. If you have any line-of-business application or application that may use Java we are urgently requesting that you contact your vendor to ask if the software is vulnerable to the ‘Log4Shell / Log4j’ vulnerability. If you are unsure if the system uses Java then we recommend you contact them anyway, most vendors have put statements out on their website.
This attack is evolving day by day, but it is critical that you contact your software vendors to ensure you remain protected.
If you would like further assistance or advice on this vulnerability, including details of our third-party patching service and how we can help protect your wider network from cyber-attacks, then please get in contact with us:
Click Here to see our range of industry-leading cyber security services
Apache release a new 2.17.0 patch for Log4j to solve its Denial Of Service (DOS) attack vulnerability
The problems continue with Apache’s logging software (Log4j) after it was discovered that their 2.16.0 patch to correct a major vulnerability flaw (see 17/12/21 update above) came with its own high severity rated vulnerability.
The 2.16.0 patch was released on Tuesday 14th December, and by Friday 17th Apache had to release another patch for it to solve the DOS attack vulnerability (rated as ‘High Severity’ with a 7.5 CVSS score) that was discovered in the days after it became available.
We continue to urgently request that you contact your software vendors and ask them to check the following:
- if you have any line-of-business application or an application that may use Java
- if that any of those applications using Java are exposed to the Log4j/Log4Shell vulnerability
- if you need assistance in patching third-party software to protect you from this vulnerability, which we at Tailor Made can offer
If your software has not had the Apache Log4j component updated to at least 2.16.0, then a recently disclosed vulnerability is yet another danger that could lead to cyber security Armageddon. An unpatched Log4j component could be exploited by a malicious actor, to deploy a wide variety of ransomware onto your network (ransomware is a type of malicious software – malware – that can encrypt all your data, and the malicious actors usually hold this for ransom). Security experts from around the globe are discovering that a whole host of malicious actors are working to exploit the Log4j vulnerability to better deliver ransomware.
As the scale of the problem with Log4j is highly extensive it is expected that further patches will be released, and the process may take years to fully sorted.
Please keep checking for new updates