A severe vulnerability was identified in Apache Log4j. Log4j is very broadly used in a variety of consumer and enterprise services, websites, and applications—as well as in operational technology products—to log security and performance information. A bug in Log4j Java (Log4j 2.0-beta9 through 2.14.1) library is being used to provide hackers the ability to takeover systems without any form of authentication.
An unauthenticated remote actor could exploit this vulnerability to take control of an affected system. Experts believe that this CVE will be used in ransomware attacks due to its ease of exploitation. Services like Steam, Apple iCloud, and Minecraft were/have been found with this vulnerability.
Actions to take:
- Meet with your IT staff or MSP to determine your company’s risk with this vulnerability.
- Review the CISA website with your IT team for further direction and actions to take. https://www.cisa.gov/uscert/apache-log4j-vulnerability-guidance
Below is a running list of software and appliances affected by Log4j. Clients should contact their vendors for more information. https://gist.github.com/SwitHak/b66db3a06c2955a9cb71a8718970c592