What is Log4j and how is it vulnerable?
Log4j is a logging package commonly included in Java-based third-party software - it is present in many popular applications. It is highly likely that your organization either uses the Log4j package in your own applications or uses products or vendors that rely on Log4j in their applications. The vulnerability allows a threat actor to download files and execute commands on impacted systems.
What are the impacted versions?
- Version 2 of Log4j between versions 2.0-beta-9 and 2.14.1.
- Version 1 is End of Life (EOL) and should be updated.
Why is this vulnerability a big deal?
Immediately following the release of the vulnerability, threat actors began scanning the Internet for vulnerable applications. There is a publicly available exploit code that threat actors can use as a roadmap to exploit the vulnerability. Early reports have identified cryptominer malware and botnets being installed on vulnerable systems. We expect that threat actors are also trying to gain entry and persistence to as many companies as possible, so they are likely leaving web shells or “backdoors” to compromise those systems at a later time even if they’ve been updated. There is the possibility that the vulnerability could become “wormable,” meaning that it would auto-propagate through IT environments. Emerge expects that additional attacks are imminent as threat actors gain access.
In short, given the widespread use of Log4j and the criticality, this vulnerability is a big deal and needs to be addressed immediately.
Additional information can be found here.