Major Security Flaw affecting millions of web devices

On December 9th 2021, a critical zero-day Apache Java library “Log4j” exploit was discovered affecting a huge number of web applications, devices and services. This vulnerability rates a full 10 out of 10 CVSS score (Critical) in terms of severity. Experts agree this is the biggest cyber security flaw discovered in years and urge immediate action to mitigate the risk. 

What is it?

This vulnerability, also known as “Log4Shell” (CVE-2021-44228) enables uncredentialled remote code executions on systems running vulnerable versions and allows the attacker full control of the affected server.

What are the risks?

The exploit is already being used in the wild to distribute mass-malware in order to launch distributed denial-of-service attacks or mine cryptocurrencies. 

 

Who does this affect? 

Any web facing device or service running Apache Java Log4j versions 2.0 to 2.14.1. Web sites, cloud services, security devices, and more are affected. 

 

How do I know if I am at risk? 

If your organization deploys or uses Java applications or hardware running Log4j v2, you are likely affected. 

If you know you are using Java programming language in any of your applications, you need to check your Log4j versions immediately. 

 

What do I need to do? 

If you can’t upgrade, follow steps below: 

  1. If using version log4j2.x version >=2.10 and <= 2.14.1, this behavior can be mitigated by either setting system property log4j2.formatMsgNoLookups or environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS to true. 
  2. If using version >=2.0-beta9 and <=2.10.0, mitigation is to remove log4j’s JndiLookup class from JVM’s classpath as under:
    zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class 

 

How do I get help?

If you’re not sure you are affected or unsure how to proceed, please feel free to reach out to NGT by going to http://www.ngthelp.com to call, email or chat with our help desk staff!