The German Federal Office for Information Security (BSI) has issued a level red cyber security warning. The reason is a critical vulnerability in the widely used Java library Log4j, which the BSI considers a serious threat situation.
Log4j version-dependent vulnerability
Log4j is a popular and widely used logging library for Java applications that is used to aggregate log data within an application.
The Log4j vulnerability disclosed Dec. 9 affects versions 2.0 through 2.14.1 and is patched as of 2.15. According to the proof of concept (PoC) also published on GitHub on December 9, the vulnerability allows attackers to execute their own code on target systems and simply paralyze individual applications and entire servers.
Potential risks in Log4j
The critical vulnerability can be used not only to install further malware, but also to read confidential data. This does not even require external malware, a simple request is enough. This critical vulnerability therefore potentially affects all Java applications accessible from the Internet that work with Log4j.
There are already numerous examples of scripts that randomly scan systems for vulnerability. There is also increasing evidence of attempts to exploit the vulnerability through botnets.
We have reacted
Our SysOps reacted immediately and applied the necessary security patches to affected systems, upgraded Elasticsearch and removed unused Elasticsearch instances. In addition, all file systems on our servers were searched for the keyword "Log4js" in order to identify further usage locations of the vulnerable logging library. Since only Java applications are affected by the current vulnerability, it was not necessary to scan PHP applications.
Still questions?
If you have any questions about Log4j, the security of your system or other topics, please feel free to contact us at any time.
Stefano Viani ist Geschäftsführer von Blackbit digital Commerce GmbH. Er ist immer up to date, was neueste Entwicklungen und Trends im E-Commerce und digitalen Marketing angeht. Seit Jahrzehnten ist er für große und mittelständische Unternehmen Berater für die technische, optische und werbliche Optimierung von Webauftritten. Dabei entwickelt er insbesondere Konzepte und Maßnahmen für ein erfolgreiches Absatzmarketing.
Do you have any questions or would you like a personal consultation?
The magic of UX/UI design - a Blackbit whitepaper
New SEO platform: Blackbit relies on Conductor
3.5.0 - Pimcore Data Director in the new version
Revolutionise your e-commerce with BigCommerce & Styla Frontend
Leave us feedback