We are providing an update on the latest Java log4j vulnerability as it is probably relevant to your operations and needs to be addressed by you.
Log4j is an open-source, Java-based logging code commonly incorporated into web servers and web applications.
The Log4j zero-day exploit was published on December 9th but attacks have been identified even before this date. It is now popular in the wild. According to reports, scanning activities by adversaries looking for this vulnerability have ramped up globally.
We regard this exploit as severe because of:
The popularity of JAVA web servers and applications and this specific framework.
The severity of the compromise - the exploit results in a Remote Code Execution that potentially allows considerable control by an attacker.
Low complexity — the exploit is relatively simple to execute requiring low/medium expertise on the attacker's side.
Because of the following we recommend that you address immediately and assume that if you use Log4j versions 2.0 till 2.14.1, you have been compromised.
What to do:
Ask IT to run a global search on all servers looking for any file named “log4j2”. If found check the file’s version number.
Permanent Fix: Version 2.15 was updated to mitigate the vulnerability. Update to the latest version, if it is possible in your environment.
Temporary Fix: add “log4j.format.msg.nolookups=true” to your web/server applications global configurations.
Please reach out to us should you have further questions.