Log4j - not the yule log you were hoping for!

One of the biggest software security vulnerabilities for some time has been discovered and patched - but that patch needs patching too...

Bcorp Logo

Log4j - not the yule log you were hoping for!

You may have heard about the recent critical vulnerability in the widely used java-based logging package, Log4j.

The vulnerability (labelled CVE-2021-44228) allows arbitrary code to be executed on a vulnerable system and at least two botnets have been found to be exploiting this in the wild.

This has had admins and security analysts reaching for the coffee as they prepared to test and roll-out the patched update or at least mitigate the risk.

However, a vulnerability with the initial patch (2.15.0) has come to light pretty quickly – which has already been resolved in versions 2.12.2 and 2.16.0.

Log4j - what systems are at risk?

Apache Log4J can be found in everything from the ubiquitous webserver Tomcat to the Java version of Minecraft - the list is enormous.

Vendors of applications and PaaS which are built on Java technologies are moving swiftly to release software updates. Amazon has already released a hotpatch utility on GitHub which may save you some woes – but do heed the caveat that this has been currently only tested with JDK 8, 11, 15 and 17 on Linux.

Microsoft have released this response  which gives advice on updating appropriately, stating “All systems, including those that are not internet facing, are potentially vulnerable to these vulnerabilities, so backend systems and microservices should also be upgraded.”

NCCGroup provides this guidance on finding vulnerable versions and detecting whether your systems have already been exploited.

Head over to Apache.org for the full nitty-gritty.

Share this post on:

We would love to hear from you

Get in touch

or call us on 020 3137 3920

Get in touch