(also Log4Shell vulnerability)
A dangerous security vulnerability in Log4j, a Java-based logging utility that tracks specific applications and sends diagnostic messages. The vulnerability relies on log4j’s formatting language being able to trigger code — so by logging messages with malicious scripts, hackers could make the affected devices do what they want.
Log4Shell is a zero-day exploit — while it hit the news in December 2021, it had existed unnoticed since 2013. The Apache Software Foundation, which is responsible for the Log4j project, classified Log4Shell as a “critical” vulnerability and gave it the maximum severity rating of 10 on the Common Vulnerability Scoring System (CVSS).
Real Log4Shell examples
- Nation-state activity groups from China, Iran, North Korea, and Turkey were observed by Microsoft to use the Log4Shell vulnerability in attacks.
- VMware Horizon servers were targeted by hackers using Log4Shell, as reported by the UK's National Health Service (NHS).
Stopping the Log4Shell vulnerability
- An upgrade to the latest version of Log4j. The Apache Software Foundation claims that it got rid of Log4Shell in later versions of Log4j.
- Updates to individual software. Most companies released patches specifically addressing the Log4Shell vulnerability soon after it came to light.
- Monitoring your network for suspicious activity. Regularly monitoring the network helps detect cyberattacks and mitigate actions taken by infected devices.