Apache Log4j Vulnerability Poses Latest Security Risk
News & Trends

Apache Log4j Vulnerability Poses Latest Security Risk

Apache Log4j Vulnerability Poses Latest Security Risk

Monday, December 20, 2021 / Michael Kettenring

What is Apache Log4j?

Log4j is a java-based software library developed by Apache. It is widely used in many devices world-wide. This includes cellphones, tablets, laptops, PC, MAC's and so much more. Most operating systems and most browsers are using this piece of software. Many consumer and enterprise services, websites, and applications as well as in operational technology products utilize Log4j. Its main purpose is to log security and performance information of systems. As a user you will never see this software library, as it is deeply hidden in any system. 
In simple terms, this library can be found everywhere.

Why does this pose a risk?

In essence hackers can exploit log4j to gain entry to systems. Once they have access, there are very few limits to what hackers can do. It includes placing viruses, hijacking computers and servers, complete networks, placing ransom ware and much more. 
Jen Easterly, head of the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA), called it "one of the most serious flaws" seen in her career.
The US government has issued a warning to impacted companies to be on high alert over the holidays for ransomware and cyberattacks.

What can the industry do?

The bad news is that there is no remedy available to fix this immediately. While Apache has released multiple patches so IT companies can update their servers, this issue will haunt the industry for years.

WEEcommunicate.com has installed patches on all of its servers immediately. We also have upgraded operating systems earlier than planned to be proactive. We are monitoring the situation.

As published by CISA:

  • On December 10, 2021, Apache released Log4j 2.15.0 for Java 8 users to address a remote code execution (RCE) vulnerability—CVE-2021-44228.
  • On December 13, 2021, Apache released Log4j 2.12.2 for Java 7 users and Log4j 2.16.0 for Java 8 users to address a RCE vulnerability—CVE-2021-45046.
  • (Updated December 18, 2021) On December 17, 2021, Apache released Log4j 2.17.0 for Java 8 users to address a denial-of-service (DOS) vulnerability—CVE-2021-45105.

Source: https://www.cisa.gov/uscert/apache-log4j-vulnerability-guidance

What can you do as a consumer?

As a consumer or regular user of technical devices, we recommend to follow these steps on a regular basis:

  • Update your operating system of all of your devices as soon as there is a new version available. You can automate the updates in your settings so you are not missing out. Check your cell phone, tablet, laptop, PC or MAC, TV, and any device connected to the internet.
  • Update your browsers to be on the latest version. Best is to auto update in your settings.
  • Are you running any software on your device? Chances are, you do. Contact your software provider, and get the latest updates. You may start by going to the app store and check all of your APPS.
  • Do you have a business that runs software form a software provider? Contact them and find out what they are doing.

We will keep you updated of any news.