Blog/Cybersecurity News/

Log4j zero-day vulnerability: how dangerous is it and who is affected?

Oliver Noble

Oliver Noble

·

Dec 29, 2021

·

2 min read

At this point, even people outside cybersecurity are asking: “What’s up with this Log4j vulnerability?” Log4Shell, a vulnerability in the Log4j library, has caused a serious stir among the world’s biggest companies. So who is affected this and what can they do to protect themselves?

What is the Log4j vulnerability?

Log4j is an open-source Java library for logging application errors created by the Apache Software Foundation. It’s used in web apps, email services, and cloud platforms. One of Log4j’s features is allowing users to insert code to customize error notifications.

Log4Shell is a vulnerability allowing cybercriminals to exploit that customization feature remotely. It was discovered on November 24, 2021. So far, Log4Shell has been used to spy on political opponents, mine cryptocurrency, perform ransomware attacks against Minecraft players, and more.

Has NordLocker been affected by Log4j?

NordLocker has not been affected by this vulnerability directly. However, while we don’t use Log4j ourselves, a risk still exists of having indirect dependencies, which we are continuously analyzing.

Why addressing Log4Shell is important

In Java, dependencies can be packaged as Java archives (JAR). This means that packages can be archived inside other archives, creating multiple levels that companies now must comb through. So, a company may not even realize it’s affected by this vulnerability.

That’s why the key issue is often not discovering or even patching the vulnerability. But it is making sure the patch is applied as fast as possible. Given the global Log4j adoption, patching systems is imperative.

Who’s affected?

Any service using Apache Log4j versions 2.0 to 2.14.1 is at risk. Affected companies include those such as Amazon, Cisco, Microsoft, Nelson, and WMware. Furthermore, frameworks such as Apache Struts2, Solr, Druid, Flink, and Swift are at risk. Reportedly, Netty, MyBatis, and the Spring Framework have also been affected.

But it is not only a problem for the companies. Based onThe Washington Post, Log4Shell can give hackers access to your Smart TV and other IoT devices.

How to mitigate Log4Shell risks

Luckily, a Log4j vulnerability patch (2.17.0) has been released. The most important thing now is to make sure your products and services are updated as soon as possible. Note that the previous patch (2.16) was found to have its own vulnerabilities and should not be used.

Log4Shell can be exploited via local networks and Wi-Fi, too, so check that both internet-facing and non-internet facing software is updated.

After you deal with this Logj4 vulnerability, it’s worth taking a broader look at your systems. This may prevent or at least help respond to similar threats in the future. Try thinking about questions like:

  • What Java products are you using?
  • Who is responsible for keeping your systems up to date?
  • How should you react if there is a cyber security incident at your company?

At the end of the day, cases like Log4j can serve as a reminder that no software is 100% fool-proof. That’s why the importance of cybersecurity should not be underestimated neither by solo enterprises nor global companies.

Oliver Noble

Oliver Noble

Verified author

A nerd with a laser focus on all things cybersec. His own words. Oliver’s hobbies away from the computer include reading, Netflix, and testing the limits of yet another Raspberry Pi. To our surprise, this 130-pound ‘nerd’ also bakes a killer pumpkin pie.