Articles about Log4Shell

Even a year after the SolarWinds infiltration in late 2020, software supply chain risk continues to dominate the security conversation. Take the Log4Shell vulnerability that recently came to light and caught everyone off guard. Not only is this flaw insanely easy to exploit but the impacted Log4j library is used in nearly every enterprise Java installation -- and the vulnerability gives attackers ultimate power to download, delete, install, and server-hop as they please. As even massive companies like Google, PayPal, Apple, and Netflix are impacted by this flaw via the software supply chain, it’s another one that makes organizations wonder: are we using that too?

In 2022, IT leaders will intensify their supply chain focus to answer this very question, expanding their scrutiny from their own applications to the components they buy and integrate. Widening the scope of the supply chain is crucial; outside software and components need their checks and balances just as code created internally does. This deepened understanding of supply chain risk will increase demands to test and secure everything, from the most seemingly insignificant open source package to the most extensive APIs and third-party components.

Continue reading →

If you are running a version of Apache Log4j between 2.0-beta9 to 2.14.1 (inclusive) the Log4Shell vulnerability is something you need to be aware off. Tracked as CVE-2021-44228, this is a serious and easily exploited RCE flaw in the open-source Java-based logging utility.

An attacker can exploit the security flaw to execute a remote attack by simply using a particular string as the browser user agent. Although the Apache Software Foundation has released a patched version of Log4j 2.15.0, not everyone is able to update straight away, and this is something that attackers are taking advantage of. Thankfully, security firm Cybereason has released a "vaccine" called Logout4Shell that protects against Log4Shell.

Continue reading →