Select Page
1 min read

Apache Log4j (also known as Log4shell) is a Java-based component used in many thousands of applications and technologies.

On December 10th 2021, a new vulnerability was identified, allowing for remote code execution on servers or clients running vulnerable versions by manipulating log messages. The exploit code is accessible online and is rated a 10.0 CVSS score.

SCC is proactively tracking and supporting its managed services customers with the Log4j software vulnerability.

For non-managed services customers, we strongly recommend you contact your vendors and support partners to verify the status of the applications and technologies you have deployed.

The NCSC has published guidance which includes advice on identifying deployments in your environment, this can be viewed at:

https://www.ncsc.gov.uk/news/apache-log4j-vulnerability

Known mitigations for this vulnerability as provided by NCSC are:

• If you are using the Log4j 2 library as a dependency within an application you have developed, ensure you update to version 2.15.0 or later
• If you are using an affected third-party application, ensure you keep the product updated to the latest version
• The flaw can also be mitigated in previous releases (2.10 and later) by setting system property “log4j2.formatMsgNoLookups” to “true” or removing the JndiLookup class from the classpath.

A centralised list of applications and technologies is available on GitHub. You can use this to help assess what action is needed. The list includes links to individual vendor guidance on mitigation action required where the vulnerability exists. This can be viewed at:

https://github.com/NCSC-NL/log4shell/blob/main/software/README.md

Further information can be found at:

https://www.ncsc.gov.uk/news/apache-log4j-vulnerability
https://www.lunasec.io/docs/blog/log4j-zero-day/
https://www.reddit.com/r/blueteamsec/comments/rd38z9/log4j_0day_being_exploited/
https://www.splunk.com/en_us/blog/security/log-jammin-log4j-2-rce.html
https://www.bleepingcomputer.com/news/security/hackers-start-pushing-malware-in-worldwide-log4shell-attacks/


Tags: Apache Log4j Statement, Log4j, Log4j Security Vulnerability, Log4j vulnerability, Log4shell, NCSC, tanium
CONTACT US