In November 2021, major vulnerabilities were discovered in Log4j. Log4j is an open-source Java logging library developed by the Apache Foundation. It is used in many custom applications, off-the-shelf software, security products and cloud applications like Steam and Apple iCloud. The Log4j library is present in many enterprise Java software and Apache frameworks. Other large projects including Netty, MyBatis and the Spring Framework also use the library. A range of vulnerabilities have been discovered in multiple versions of Apache Log4j. Scanning and attempted exploitations have been found globally. National Cyber Security Centres have discovered exploited vulnerabilities in VMware Horizon, MobileIron and Ubiquiti Unifi Network Application, among others. Vulnerabilities allow remote code execution and information disclosure, if exploited. Denial of Service exploits, bypassing mitigations to Log4shell and Conti ransomware operators gaining access through vulnerabilities, are all risks. Vulnerabilities also allow exfiltration of sensitive data. The list of applications impacted by these vulnerabilities is vast and so all organisations must proactively audit, test, review and respond to patching and updates.
Information security specialists say that the Log4j vulnerability may be one of the most serious in the last ten years. Over time, it may become the most impactful vulnerability in the history of modern cyber security. Known vulnerabilities, patched vulnerabilities, half-day and zero-day exploits in the open-source code libraries can result in major future data breaches, supply chain attacks and ransomware attacks. Companies and organisations should locate and upgrade all instances of log4j and mitigate threats. This Resources Page is a dashboard of the most useful information and guidance.
Log4j Joint Cybersecurity Advisory from the US Cybersecurity and Infrastructure Security Agency (CISA), the US Federal Bureau of Investigation (FBI), the US National Security Agency (NSA), Australian Cyber Security Centre (ACSC), Canadian Centre for Cyber Security (CCCS), the Computer Emergency Response Team New Zealand (CERT NZ), the New Zealand National Cyber Security Centre (NZ NCSC), and the United Kingdom’s National Cyber Security Centre (NCSC-UK) are releasing this joint Cybersecurity Advisory (CSA) – December 2021
NCSC UK Alert: Apache Log4J Vulnerabilities
NCSC UK Log4j Vulnerability: What Everyone Needs to Know
NCSC UK Log4J Vulnerability: What Should Boards be Asking?
NCSC Ireland Log4j Alert and Advisory
NCSC Netherlands Log4j Alert and Resources
CISA GOV (USA) Log4j Vulnerability Guidance on Github
PrivacySolved has years of expertise in data protection, cybersecurity strategy and data breach response. For advice, support, projects and programmes, contact PrivacySolved:
Telephone: +44 (0) 207 175 9771 (London)
Telephone: +353 1 960 9370 (Dublin)