Visitors can check out the Forum FAQ by clicking this link. You have to register before you can post: click the REGISTER link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. View our Forum Privacy Policy.
Want to receive the latest contracting news and advice straight to your inbox? Sign up to the ContractorUK newsletter here. Every sign up will also be entered into a draw to WIN £100 Amazon vouchers!
Basically, Log4j is an Apache package (written in Java) which does logging. A lot of recent versions have a vulnerability (CVE-2021-44228, aka Log4Shell) which allows RCE (Remote Code Execution). Basically, if you send a particular string to the website, you can launch code; you can do that from the login screen, so this attack doesn't require authentication. It has a base CVSS v3 score of 10, which is the highest possible score.
The good news is that Log4j has a new version out which fixes the problem, so you just need to install the patch.
The bad news is that you wouldn't install something like this directly; it will be a module buried inside another application. E.g. VMware have put out a security advisory with a list of all their affected products: VMSA-2021-0028.1 (vmware.com)
At the time of posting, there's no fixed version for any of them, but they've given workaround instructions for some of the products.
Some people have argued that this demonstrates the need for SBOM (Software Build Of Materials). The idea is that each application would include a list of all the modules etc. that it uses, then you can search through the list in a situation like this rather than having to hunt around all the vendors websites. However, there's still an argument for testing each device/website to check whether it's affected.
Comment