This weekend, a very serious vulnerability in the popular Java-based logging package Log4j was disclosed. This vulnerability allows an attacker to execute code on a remote server; a so-called Remote Code Execution (RCE). Because of the widespread use of Java and Log4j, as well as the relative ease with which the vulnerability can be exploited, this is likely one of the most serious vulnerabilities on the Internet since both Heartbleed and ShellShock.
This was a “zero day exploit”, meaning that the bad guys found this vulnerability and started exploiting it before that vulnerability could be fixed. The NIST has catalogued this as CVE-2021-44228 with a 10/10 severity (the most severe).
Put simply – Java applications that use the log4j package. It is almost impossible to conclusively list all affected software and services, given such widespread use and the multiple versions and implementations that affects the ability to exploit the vulnerability.
An attempt to list responses from as many vendors and service suppliers can be found here, though this list shouldn’t be taken as authoritative.
What you can do
Most importantly you should take immediate action to do the following:
- Identify usage of affected log4j versions within your infrastructure.
- Apply available patches from your software vendors, or consider disabling elements of your infrastructure/services until patches are available.
- Monitor your systems/logs for signs of previous and ongoing exploit attempts.
- Take immediate steps to restore any affected systems to a known good state.
We are actively following the steps above and triaging those affected. Those most severely affected will have already been contacted and we will continue to proactively monitor all infrastructure to ensure all systems are patched as soon as possible.