Reports are coming in of a newly detected weakness, or vulnerability, in software that most organisations around the world use. As the vulnerability is so widely known, cyber criminals are already scanning for it across the globe and seeking out organisations that are exposed.
The software is Java and the vulnerability is in the Log4j package developed by the Apache Foundation.
Reuters reports: “The Apache Log4j Remote Code Execution Vulnerability is the single biggest, most critical vulnerability of the last decade,” said Amit Yoran, chief executive of Tenable, a network security firm, and the founding director of the U.S. Computer Emergency Readiness Team. Read full insight.
Urgent action needed
The government organisation the National Cyber Security Centre publishes this security threat as high, therefore we advise you to:
What is the threat?
The vulnerability has the potential to enable cyber criminals and attackers to access your IT systems. This would allow them to deploy cyberattacks on your organisation, such as ransomware, viruses and even bitcoin mining activity. This is a global exposure, and we advise you to review your organisation’s cyber defences and take steps to mitigate the risk.
This vulnerability is likely to be present in many organisations in some way, especially where server infrastructure is internet facing.
What is Log4j?
Log4j 2 is an open-source Java logging library developed by the Apache Foundation. It is widely used in many applications and is present in many services as a dependency.
This includes enterprise applications, including custom applications developed within an organisation, as well as numerous cloud services.
The Log4j 2 library is frequently used in enterprise Java software and is part of Apache frameworks including:
Other large projects including Netty, MyBatis and the Spring Framework also use the library.
Peace of mind
To protect your organisation properly, we recommend you acquire Cyber Essentials certification which has numerous benefits.
Moore ClearComm provides a wide range of data protection and cyber security consultancy services, designed to secure your organisation and support your compliance with data protection legislation.
To speak to one of our specialist advisers, contact us today.