What is log4j and how bad is the news?
On December 9, a new “remote code execution” vulnerability, also referred to as CVE-2021-44228 or Log4Shell, has been disclosed for Log4j. Log4j is by far the most popular piece of software used for logging purposes in applications built on Java. This is extremely problematic as Log4j is often part of internet facing services and software, so relatively easy to exploit remotely.
If attackers manage to successfully exploit this vulnerability on one of your servers, they gain the ability to potentially take full control of the system. Detection and exploitation of this vulnerability by malicious actors is already happening, since the exploitation software is publicly available.
On top of that, there was a second problem found, called CVE-2021-45046 where hackers could execute a DOS (Denial of Service) attack, making the server useless without breaking into the server.
- Code RED: How to deal with Log4Shell vulnerability? (blog article)
- Code rood bij IT-afdelingen: vrees voor nieuwe golf aan gijzelsoftware (De Tijd article in Dutch)