A new zero-day vulnerability has set the internet on fire and made many companies extremely worried. Read this blog post to find out what Log4j vulnerability is and whether it affects you.
Contents:
What is the Log4j vulnerability?
This new vulnerability was found in Log4j - otherwise known as Log4Shell - a Java library used to log error messages in applications. Log4j is used in web apps, cloud services, and email platforms. Therefore, there may be a number of companies that need to take action as soon as possible.
What does vulnerability in Log4j mean? In simple terms, the Log4j vulnerability allows bad actors to execute any code remotely, whether over LAN, WAN, or the internet.
Why patching zero-day vulnerability fast is so important?
A zero-day vulnerability is a flaw in computer software that the developer usually doesn’t know about. Alternatively, the developer is already aware of the problem but hasn't released a patch yet. In most cases, such vulnerabilities are discovered by hackers who try to exploit them and can cause damage to programs, computers, or the whole network.
Zero-day vulnerabilities are extremely dangerous as they can be exploited in a short time frame. By the time the company discovers the vulnerability, a patch is released, and all users update their software, hackers may have caused a lot of damage.
Who’s affected?
Any systems and services that use the Java logging library, Apache Log4j between versions 2.0 and 2.15. This includes Atlassian, Amazon, Microsoft Azure, Cisco, Commvault, ESRI, Exact, Fortinet, JetBrains, Nelson, Nutanix, OpenMRS, Oracle, Red Hat, Splunk, Soft, and VMware. You can see the complete list of vulnerable software and its security status here.
What about your computer? Apple has already patched the Log4Shell iCloud vulnerability, and Windows is not vulnerable to the Log4j exploit.
Is NordPass affected by Log4j?
No, NordPass is not affected by Log4j at the moment as our tech stack doesn’t use it. However, we are constantly monitoring our apps and infrastructure for any indirect dependencies so that we can mitigate them there and then.
What to do if you are using one of the products at risk?
Unfortunately, in such a situation, most of the security fixes fall in the hands of companies and products that use Log4j. At the moment, their security teams need to identify devices that run Log4j and update them to Log4j-2.16 or a later version.
If you receive a notification from such a company urging you to update your software, please do so immediately to protect your data.
However, if you are more tech-savvy and know how to scan your packages and dependencies, there are a few things you can do. Here’s how to detect and mitigate the Log4Shell vulnerability.