High Severity Vulnerability Just Uncovered, Action Needed
Last week, a new vulnerability was discovered and documented in a very public fashion. The official title for this vulnerability is CVE-2021-44228, but the unofficial nickname for it is log4shell. Log4Shell is a high severity vulnerability (CVE-2021-44228, CVSSv3 10.0) impacting multiple versions of the Apache Log4j 2 utility.
The vulnerability allows for unauthenticated remote code execution. Log4j 2 is an open-source Java logging library developed by the Apache Foundation. Log4j 2 is widely used in many applications and is present, as a dependency, in many services. These include enterprise applications as well as numerous cloud services. Because it is a component of a larger application, it is a lot harder to build a list of what can be vulnerable. Until fully confirmed, one must assume that all java applications are vulnerable to this bug.
It might be easier to think about log4j like a tool in a toolbox. We can look at a toolbox and say, “Yeah, that’s probably got an adjustable wrench in it,” but until we go check, we cannot say for certain whether there is a wrench in it.
Many enterprise and cloud applications including several large and well-known vendors utilize Log4j, and therefore, could have this vulnerability. A community list of vendors and publishers’ announcements and positions is in process and lives here: GitHub Gist Security Advisory
Another good reference can be found here: HC3: LogJ4 Sector Alert Bulletin
Everyone needs to be cognizant of the seriousness of this vulnerability, and the fact that it is being exploited in the wild. As time goes on, 2W will do our best to assess any places where this vulnerability may exist, communicate, and remediate them appropriately. Most of the effort to address this vulnerability will be to keep apps, software, and operating systems up to date. We recommend you take care of your environment and ensure your partners are doing the same in theirs.
If you have further questions or need help, give us a call. 2W Tech is a technology service provider with IT Consultants on staff that have a wide berth of experience with cybersecurity and cyber defense solutions.