Java Log4Shell Zero-Day Vulnerability Discovered; Immediate Patching Advised for Millions of Users
On December 10th, a critical vulnerability was disclosed in the open-source Apache software used to run websites and other web services across industries. The vulnerability affects a Java logging package known as log4j, which is commonly used by organizations across the world. The Apache Software Foundation has rated Log4Shell a 10 on a scale of 1-10 in terms of severity and priority.
If left unpatched, the Log4Shell vulnerability allows access to internal networks where they can steal data or infect systems with harmful malware. Many servers across the globe have this logging package installed in their servers, including Amazon, Apple, and Google as well as third-party programs.
Since disclosed, organizations have been racing to deploy the latest patch to remedy this detected vulnerability. With the ubiquity of log4j across industries, the full scale of this vulnerability will likely take weeks to realize. Apache has provided more information on the latest vulnerabilities and their updates to protect your organization here.
ACA Aponix Guidance
The Log4Shell vulnerability is serious and requires immediate action. The sheer ubiquity of companies that use the Java logging package adds to the urgency given the significant potential for abuse by malicious actors. ACA Aponix® recommends to:
- Work with your IT team or MSP to urgently review and patch your systems
- Engage with third-party vendors to ensure they patch their systems too
- Reach out to ACA Aponix or other trusted third-party advisors for assistance in reviewing patching procedures as needed.
How we help
ACA Aponix offers the following solutions that can help your firm protect itself in relation to this and similar cybersecurity warnings, and to enhance its cybersecurity in general:
- Threat intelligence, phishing testing and monitoring
- Operational resilience and governance
- Risk assessments and regulatory compliance testing services