- What We Do
- Who We Help
- About Us
- Reach Out
Security Advisory Nickname: Log4Shell
Security Advisory Name: CVE-2021-44228
Security Advisory Link(s): http://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-44228, https://nvd.nist.gov/vuln/detail/CVE-2021-44228
Security Advisory Severity: CRITICAL
A serious vulnerability has been found in Log4j which is a logging tool, Java library, included in almost every Java application worldwide. In fact, it is one of the most widely used Java libraries thus far. Most Java applications log data, and there is nothing easier to use than log4j. A critical vulnerability was found that can be widely exploited potentially giving an attacker the ability to execute arbitrary code on a system that uses log4j with little effort. This could lead to crypto mining installations, data breaches, malicious deployments, and ransomware seeding, among others. The discovery has a broad impact and any application containing log4j needs to be given immediate attention. CVE-2021-44228 was given a critical severity rating of 10 out of 10 due to its ease of use, global scope, and potential impact. Another reputable metric called the Kenna Risk score gave CVE-2021-44228 a 93 out of 100. By Kenna standards this is an exceptionally rare score. The problem with this exploit is identifying all the affected software or systems. In many cases, we will all be at the mercy of our vendors alike, waiting for them to push their necessary fixes. Although a patch for this vulnerability has been released by Apache it is only helpful for software developers at this time.
Please take a moment to watch this public video about the Log4Shell security advisory, https://www.youtube.com/watch?v=CvkUPvIMM7o&list=RDCMUCHkYOD-3fZbuGhwsADBd9ZQ. We encourage all our clients to investigate their internal and third-party usage of log4j for configurations that may be vulnerable. There is already a plethora of information concerning this vulnerability available online that can be searched. If you are uncertain or unable to determine if your implementation is vulnerable, patch or update aggressively. Patches and updates are not available for everything yet but there are a few known workarounds to help mitigate exposure. Several community efforts have arisen to track vulnerable software and its status like this one, https://github.com/NCSC-NL/log4shell/tree/main/software. Should your organization develop any Java based software then ensure you have updated your log4j to the latest version 2.15.0+ in all your software developments, https://logging.apache.org/log4j/2.x/download.html. Then make sure you push out patches or updates to anyone that uses your Java based software as soon as possible. For those that need to have the Java Runtime Engine (JRE) installed anywhere for any reason we recommend updating it to the latest version, consistently updating it and removing any older versions. Updating the JRE will not fix the Log4Shell vulnerability but has long been a generally accepted Java recommendation.
The following list outlines software that we install at our clients although installed software may vary from client to client. They are effective at detecting and responding to threats that vulnerabilities like this one can allow to be executed. No single tool can catch or stop everything, but a complimentary blend of the tools we offer can go a long way to preventing exposure, damage, and further risk. We strongly recommend reaching out to our Sales team If you do not have one or more of these products so you can get started with better protection.
If you have any questions, comments, or concerns about this security advisory then we would ask that you give us a call at (416) 410-7268 or create a ticket by sending an email to firstname.lastname@example.org. Depending on your request we are also happy to setup an appointment with you to discuss this vulnerability further given its potential impact.