Log4shell is a critical vulnerability in the widely-used logging tool Log4j, which is used by millions of computers worldwide running online services. A wide range of people, including organisations, governments, and individuals are likely to be affected by it. Although fixes have been issued, they will still need to be implemented.
What’s the issue?
In December 2021, a vulnerability was found in Log4j, an open-source logging library commonly used by apps and services across the internet. If left unfixed, attackers can break into systems, steal passwords and logins, extract data, and infect networks with malicious software.
Log4j is used worldwide across software applications and online services, and the vulnerability requires very little expertise to exploit. This makes Log4shell potentially the most severe computer vulnerability in years.
Who is affected by this?
Almost all software will have some form of ability to log (for development, operational and security purposes), and Log4j is a very common component used for this.
For individuals, Log4j is almost certainly part of the devices and services you use online every day. The best thing you can do to protect yourself is make sure your devices and apps are as up to date as possible and continue to update them regularly, particularly over the next few weeks.
For organisations, it may not be immediately clear that your web servers, web applications, network devices and other software and hardware use Log4j. This makes it all the more critical for every organisation to pay attention to our advice, and that of your software vendors, and make necessary mitigations.
What is Log4j?
Modern software can be large, powerful, and complex. Rather than a single author writing all the code themselves as was common decades ago, modern software creation will have large teams, and that software is increasingly made out of ‘building blocks’ pulled together by the team rather than entirely written from scratch.
A team is unlikely to spend weeks writing new code when they can use existing code immediately.
Log4j is one of the many building blocks that are used in the creation of modern software. It is used by many organisations to do a common but vital job. We call this a ‘software library’.
Log4j is used by developers to keep track of what happens in their software applications or online services. It’s basically a huge journal of the activity of a system or application. This activity is called ‘logging’ and it’s used by developers to keep an eye out for problems for users.
What if I don’t know if anything we use is using Log4j?
Ask your in-house developers and/or third-party suppliers and act quickly on their response.
The National Cyber Security Centre, have asked that developers of affected software communicate promptly with their customers to enable them to apply available mitigations or install updates. In turn, you should act promptly on any such communications from developers.
What else can I do?
- Check your systems for the use of Log4j
- Check the list of vulnerable software
- Contact software vendors
- Set Web Application Firewall rules
- Check for scanning activity
- Check for exploitation
- Sign up for the NCSC’s Early Warning Service
Or, if you’re not sure how best to proceed, we’d be happy to offer some free help to assess your systems and advise further – contact us here.
Thanks to NCSC for this info on what is the Log4j vulnerability - a great source of cyber security advice from the Government at ncsc.gov.uk. Crown Copyright, content reproduced under license
