Chances are, if you use any web-based software in the course of your work, you will have heard about something called the “Apache Log4j2” vulnerability, and like most people, you’re probably a bit confused about what it means and what you need to do.
In simple terms, Log4j is a legitimate piece of software made by Apache, which is one of the most popular web hosting systems in the world. It is often used as a component of much bigger more complex systems as it provides a nice “off-the-shelf” tool to allow the developers of software to easily log what is happening in their systems, so that when things go wrong, software developers can look back and see what happened, and deliver a fix.
Unfortunately, a vulnerability was found last week which could allow a hacker to bypass any normal security that would be in place, and gain access to the data or software that would normally be out of reach. If you have software or web-based systems that are affected by this vulnerability, there is potential for a hacker to gain access to your data, and the data of many other customers on the same platform.
As a result, any software manufacturer that uses Log4j in their systems has been forced to take action to make sure their systems are updated with a newer version of Log4j, which does not have this weakness.
It’s not all doom and gloom with this vulnerability being announced, it only affects some versions of Log4j, however, even though this is the case it is still best to confirm that any applications that you use are safe from this threat.
Our advice at Computercentric is that you do a brief audit of your software to consider what you use in your business. Once you have done this, check to see if the manufacturers of those pieces of software have contacted you by email, or check their websites for news.
Ideally you want to know that the software you are using is not affected. Or if it was affected, get confirmation that the weakness has been fixed (or is in the process of being fixed), usually by way of a software fix or patch.
On behalf of Computercentric, we have assessed our own in-house applications used in the course of managing our business, as well as the services that we provide to our customers. We have implemented patches where required, and sought assurance from the developers of the applications that are not within our immediate control that the issue has been mitigated.
If you use our Watchguard line of firewalls with web content filtering, these have been updated to be able to spot and block the traffic that would otherwise cause a breach of security.
If you would like some more technical information, here are some links for statements issued by some of the big players, that may be of use to you.
Apache
https://logging.apache.org/log4j/2.x/
Amazon Web Services
https://aws.amazon.com/security/security-bulletins/AWS-2021-006/
Sage
Watchguard
https://techsearch.watchguard.com/KB?type=Security%20Issues&SFDCID=kA16S000000SNnuSAG&lang=en_US
Sophos
https://www.sophos.com/en-us/security-advisories/sophos-sa-20211210-log4j-rce
Microsoft
https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2/
https://cloud.google.com/log4j2-security-advisory