Log4J Vulnerability - What you need to know.

Larry Bellehumeur |

What is Log4J?

Log4J is a software framework used to maintain a log of user activity and the behaviour of applications. It is distributed for free and downloaded and deployed millions of times. It one of the most widely used tools used by computer network administrators, websites and application servers.
Do you have a device from one of Novotech's Manufacturing partners? See below for information on all our major modem and router manufactures including Sierra Wireless, Cradlepoint, and Teltonika Networks

What is the issue (the Log4J Vulnerability)?

The issue, first discovered by Apache’s team early in December 2020 potentially allows an attacker to execute code on a target computer or server. This opens potential vulnerabilities, such as the ability to steal data, to install malicious software or even in some cases, take over control of the device.
Among the concerns of security experts is the fact that this vulnerability may allow for ransomware to be installed on a network, allowing networks to be locked until a fee is paid.

Is the Log4J Vulnerability widespread?

Many systems that are accessible on the Internet are vulnerable. As mentioned, the software framework has been downloaded millions of times. It is especially vulnerable in systems such as those used in business software development.

I have some devices with Apache installed, which ones are vulnerable?

According to CISA (Cybersecurity and Infrastructure Security Agency), the issue affects the following versions of software: versions 2.0-beta9 to 2.14.1

Can this issue be easily fixed?

CISA has offered this page for more detail: https://www.cisa.gov/uscert/apache-log4j-vulnerability-guidance). Companies should first start by identifying which internet-facing devices use Log4J. They further recommend installing a web application firewall.
Once you have identified any vulnerable devices, there are some software updates to mitigate the issue. Apache has provided a link (https://logging.apache.org/log4j/2.x/) to assist with this. As well, other providers such as Oracle (https://www.oracle.com/security-alerts/alert-cve-2021-44228.html) and Microsoft (https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2/) have released guidance for their customers