All threat actors need to trigger an attack is one line of text. There is no obvious target for this vulnerability—hackers are taking a spray-and-pray approach to wreak havoc.
Millions of applications and manufacturers use log4j for logging. This includes…
- Apache applications (e.g. Apache Struts, Solr and Druid)
- Video games (e.g. Minecraft)
This community resource is a growing list of software and components that have been found vulnerable and impacted.
Am I Impacted?
This is harder to say.
If you are a CompuVision client you are not impacted by this vulnerability due to any software or agents we have installed, and neither are any of the CompuVision systems we use. We have taken extra security measures disabling anything that may use Java components for the time being. You will not see any interruptions on the CompuVision side of services.
If you are a non-CompuVision client, contact your MSP (Managed Service Provider) or IT team to learn more about the security measures they have in place for you.
It is important to note that updates such as these can cause downtime, but usually these are limited when pushed out by the vendor.
What Should I Do?
If your organization uses the log4j library, upgrade to Log4j 2.16 or newer immediately. You should also be sure that your Java instance is up to date. A patch for CVE-2021-44228 has been released, and it is up to vendors that use this (such as Apple, Twitter etc.), to push updates that completely patch the vulnerability.
Open to the Internet
The mitigating factor for most environments: even if you have some server application written in Java, that uses Log4j, if it is not publicly exposed on the internet your risk is significantly reduced. Since the exploit requires sending dangerous data to the application and the application needs to LOG that data, if that application/software/server is not open to the internet, attackers cannot send the dangerous payload.