Businesses urged to act now on serious Log4Shell or Log4j security flaw

A severe security vulnerability in a widely used piece of software is posing a threat to organisations across the globe.
Clive Reeves · 15 December 2021 · 3 minute read

This article is accurate at the time of reporting, which was on 15 December 2021.

For the latest information on the Log4j vulnerability, including the latest advice on patching, please refer to the Apache website.

Cyber security experts are urging anyone who uses the Log4j Java open source logging library to update their systems to the latest version or apply a mitigation immediately.

The “Log4Shell” vulnerability (CVE-2021-44228) is rated at 10/10 in severity because it allows for full control of a compromised server over the internet.

Note: CVE, which is short for Common Vulnerabilities and Exposures, is a list of publicly disclosed computer security flaws. When someone refers to a CVE, they mean a security flaw that’s been assigned a CVE ID number.

Hackers are already actively searching the internet for vulnerable systems as a result of this vulnerability, and quickly exploiting them, and authorities are warning that ransomware attacks using this method are likely.

The popular gaming platform Minecraft was the first to have been breached through the vulnerability; cyber criminals simply entered some malicious text into a game chat window.

Anyone using versions 2.0-beta9 to 2.14.1 of Log4J are affected. The exploitation also impacts default configurations of Apache frameworks like Apache Struts2, Apache Solr, Apache Druid, and Apache Flink, among others, if they haven’t been updated to the latest version.

We’ve seen the type of damage that can be wrought through flaws in open source software like Apache before: the devastating 2017 breach of credit bureau Equifax – which saw the personal data of 148 million Americans and 15 million Britons compromised. This was perpetrated through a flaw in Apache Struts. The Australian Centre for Cyber Security has posted information on how to mitigate against this vulnerability. Businesses are urged to update to the latest version of Log4Shell wherever it is used as soon as possible.

What is CVE-2021-44228 aka Log4shell?

Several days ago, security outlets and media started reporting on the discovery of a critical vulnerability in the Apache Log4j library, which is used by millions of organisations across the globe, both in their own internal software and the third-party products they use to run their operations.

CVE-2021-44228 – Log4j/Log4Shell can be easily exploited to take control of vulnerable systems remotely and we are aware hackers are actively scanning the internet for affected systems. The United States Cybersecurity and Infrastructure Security Agency issued an alert about the vulnerability on Friday, as did Australia’s CERT.

What systems are affected?

Systems and services that use the Java logging library, Apache log4j between versions 2.0-beta9 and 2.14.1.

How can I update or mitigate against the vulnerability?

The Apache Foundation has issued an updated log4j version 2.16.0, which is not vulnerable to Log4Shell by default. Ensure you update beyond this version for protection.

According to the Australian Centre for Cyber Security, information on how to mitigate against this vulnerability can be found on the Apache website.

Has Telstra been impacted by CVE-2021-44228 aka Log4Shell?

We continue to monitor, review and patch our systems. We haven’t seen any successful exploitation attempts in our network or IT applications to date, however we remain vigilant as this complex situation evolves. Our Security team continue to work around the clock, scanning our systems and performing hunt activities, to help keep our network and customers’ information secure whilst we complete upgrades and mitigation activities. We continue to work closely with the Australian Cyber Security Centre (ACSC), our suppliers and industry partners to assist in upgrades and mitigation activities.


By Clive Reeves

Deputy Chief Information Security Officer

Clive is the Deputy Chief Information Security Officer and has over 20 years’ experience in cyber security risk management, engineering and operations. Clive leads critical customer-facing security capabilities including the Telstra Security Operation Centres and the Defence Engagement Security Team. Clive was previously the CISO for Telstra’s Defence Engagement Team and also managed a secure ops and incident response centre. Prior to joining Telstra, Clive worked for the Australian Government and served in the Royal Australian Air Force (RAAF). Clive is an engineering graduate of RMIT and holds an MBA in Technology Management.

Related articles

  • Scams to watch out for this shopping season

    Tis the season to shop til you drop, but bargains aren't all you need to watch out for. This time of year is also rife with scammers, trying to take advantage of dodgy emails and texts that promise a deal or discount that almost always sounds too good to be true.
  • Starlink connectivity is coming to Telstra Enterprise customers

    Earlier this year, we announced that we were excited to be bringing Low Earth Orbit (LEO) satellite connectivity, powered by Starlink, to our customers across Australia. Today, we’re even more excited to announce that Telstra Enterprise is now taking orders for Telstra Starlink connections.