If you have been reading any IT news you will have seen a very high-risk vulnerability has been identified in Apache Log4j.
Apache Log4j is an open-source Java-based logging library used by many thousands of organisations in their enterprise applications, and by many cloud services.
The Log4j flaw (also now known as “Log4Shell”) is a zero-day vulnerability (CVE-2021-44228) with warnings that it can allow unauthenticated remote code execution and access to servers.
Paring back further in a ‘plain English’ translation, this system, used by millions of companies, has a known vulnerability (hole) that cyber criminals can use to gain access to your systems.
Attackers are already attempting to scan the internet for vulnerable instances of Log4j, with Cyber Security researchers at IT security company, Check Point, warning that there are 100’s of attempts to exploit the vulnerability every minute.
What you need to do
Don’t panic. The good news is it’s easy to fix with an update.
If you know you have the vulnerable systems, then update them to 2.16.0. The update should be applied immediately and carry on as normal.
If it is not possible to immediately update, there are mitigations that can prevent exploitation.
A vulnerability aptly named “vaccine” has been released by Cybereason that can be used to protect against exploitation by using the vulnerability to run code that changes the settings to prevent further exploitation.
If you have your own vulnerability scanning tool this may work too to check if you are vulnerable.
If you already have a scanning service with us, we will be running these scans now on your behalf and updating, should we find the vulnerable systems.
If you’re not sure if you are impacted, we can run a free scan for you on your systems to identify if there are vulnerable systems which could be targeted.
Contact firstname.lastname@example.org to setup your scan as soon as possible.