The LOG4J Vulnerability – What You Need to Know and Do 

The IT Industry is working on addressing a vulnerability affecting multiple technology companies around the globe. A flaw in the Java Library used for Logging Messages – Log4J has been exposed, resulting in a security vulnerability with a severity score of 10 out of 10.  

The Log4J vulnerability has been detected in over 15 million Java installations, which included some of the prominent open-source projects like Apache Struts, Spring and Apache Commons. The flaw can enable remote code execution in applications that use Log4J. If an attacker could get an application to send malicious packets of data to a remote log server, the attacker could take control of the server and make it do whatever they want it to do on its behalf (for example, send spam emails).   

It’s also possible to exploit this vulnerability using stand-alone attack tools that you can download off the internet.  

Who is at Risk?  

If your organisation is running Apache Log4J versions, 2.0 to 2.14.1, you are at risk and Log4J Version 2 (also included Apache Struts2, Solr, Druid, Fink, and swift Frameworks). Log4J is used extensively by many leading vendors in the Enterprise Technology space, including Cisco, IBM, VMware, and other vendors such as AWS, ConnectWise and N-Able. 

 Some of the vendors currently affected.  

  •  Amazon Web Services (AWS)  
  • Broadcom 
  • Cisco  
  • ConnectWise  
  • Fortinet  
  • HCL 
  • Okta 
  • VMware  
  • IBM  
  • N-Able  
  • Comprehensive list here 

 Action You Need to Take  

It is imperative that you work to recognise any internet-facing devices running Log4J and run an upgrade to 2.15.0 or later versions. In addition, many vendors have released critical fixes that should be applied with immediate effect.  It has also been suggested that using security protocols to identify any devices running Log4J may be advisable.  

The NCSC recommends updating to version 2.15.0 or later, and – where this is not possible – mitigating the flaw in Log4j 2.10 and later by setting system property “log4j2.formatMsgNoLookups” to “true” or removing the JndiLookup class from the classpath.  

The Dutch Cyber Security agency has also posted a comprehensive list of affected products, either vulnerable, not vulnerable, still under investigation, or where a fix has been released. 

View the A-to-Z list here  

 Do You Need Help?  

We are working alongside our customers and vendors to ensure that our customers have adopted all critical updates for their infrastructure. 

If you have any questions or require help, we have a team of experts that can work with you to identify vulnerabilities and apply fixes, helping you remain secure. If you need assistance, please call us on 0333 344 8971 or email us at hello@cways.co.uk.