Businesses urged to act now on serious Log4Shell or Log4j security flaw
This article is accurate at the time of reporting, which was on 15 December 2021.
For the latest information on the Log4j vulnerability, including the latest advice on patching, please refer to the Apache website.
Cyber security experts are urging anyone who uses the Log4j Java open source logging library to update their systems to the latest version or apply a mitigation immediately.
The “Log4Shell” vulnerability (CVE-2021-44228) is rated at 10/10 in severity because it allows for full control of a compromised server over the internet.
Note: CVE, which is short for Common Vulnerabilities and Exposures, is a list of publicly disclosed computer security flaws. When someone refers to a CVE, they mean a security flaw that’s been assigned a CVE ID number.
Hackers are already actively searching the internet for vulnerable systems as a result of this vulnerability, and quickly exploiting them, and authorities are warning that ransomware attacks using this method are likely.
The popular gaming platform Minecraft was the first to have been breached through the vulnerability; cyber criminals simply entered some malicious text into a game chat window.
Anyone using versions 2.0-beta9 to 2.14.1 of Log4J are affected. The exploitation also impacts default configurations of Apache frameworks like Apache Struts2, Apache Solr, Apache Druid, and Apache Flink, among others, if they haven’t been updated to the latest version.
We’ve seen the type of damage that can be wrought through flaws in open source software like Apache before: the devastating 2017 breach of credit bureau Equifax – which saw the personal data of 148 million Americans and 15 million Britons compromised. This was perpetrated through a flaw in Apache Struts. The Australian Centre for Cyber Security has posted information on how to mitigate against this vulnerability. Businesses are urged to update to the latest version of Log4Shell wherever it is used as soon as possible.
What is CVE-2021-44228 aka Log4shell?
Several days ago, security outlets and media started reporting on the discovery of a critical vulnerability in the Apache Log4j library, which is used by millions of organisations across the globe, both in their own internal software and the third-party products they use to run their operations.
CVE-2021-44228 – Log4j/Log4Shell can be easily exploited to take control of vulnerable systems remotely and we are aware hackers are actively scanning the internet for affected systems. The United States Cybersecurity and Infrastructure Security Agency issued an alert about the vulnerability on Friday, as did Australia’s CERT.
What systems are affected?
Systems and services that use the Java logging library, Apache log4j between versions 2.0-beta9 and 2.14.1.
How can I update or mitigate against the vulnerability?
The Apache Foundation has issued an updated log4j version 2.16.0, which is not vulnerable to Log4Shell by default. Ensure you update beyond this version for protection.
Has Telstra been impacted by CVE-2021-44228 aka Log4Shell?
We continue to monitor, review and patch our systems. We haven’t seen any successful exploitation attempts in our network or IT applications to date, however we remain vigilant as this complex situation evolves. Our Security team continue to work around the clock, scanning our systems and performing hunt activities, to help keep our network and customers’ information secure whilst we complete upgrades and mitigation activities. We continue to work closely with the Australian Cyber Security Centre (ACSC), our suppliers and industry partners to assist in upgrades and mitigation activities.