Critical Log4j Vulnerability
It’s likely you’ve seen the news about a new, highly dangerous vulnerability on your computers. In techie language, it’s referred to as ‘Log4j’. But, is this something you should be concerned with?
Well, due to its widespread use and the ease at which attackers can exploit this vulnerability it has been given a severity rating of 10 (critical).
Log4j is a library commonly used with Java-based computer programs – and the difficulty is you probably don’t know which of your programs use Java, nor which use the specific Log4J library. So, here’s what you need to know…
- For mainstream software, a number of vendors have confirmed that Log4j is used – including Apple, Google, Amazon Web Services and Cisco. These big vendors are all over it, as the risk to their reputation in high if there’s a problem – so make sure you stay on top of installing updates in the coming days.
- For Cloud-based software, then this is the responsibility of the vendor to rectify the problem ASAP. After all, that’s what ‘Software as a Service’, or Cloud-based solutions are for – you’re paying the vendor to take care of these things for you.
- For Hosted Software, it’s often your responsibility to update the software and patch any vulnerabilities. (Remember, most people get ‘Hosted’ and ‘Cloud’ confused – it’s not just about the geographical location of your software!).
- For Local Software, it’s definitely your responsibility to update your computers and servers.
The primary way to resolve this vulnerability is for the software vendor to update the Log4j version to 2.15.0. and then issue you with an updated installation of their software. You then need to update your local or hosted applications accordingly.
For our customers, who have signed up to our Device Management solution, we have developed a script to scan for the existence of Log4j and report on whether the vulnerability exists. So, if you have the vulnerable version installed locally (on a Server or PC), then we will find it and be in touch with you – and then we can chase the software vendor for their updated versions.
And, we’re here to help you if you receive any confusing emails from your Hosted, Cloud or Mainstream software vendors asking you to do something.
If you’re interested, then further information can be obtained from the National Cyber Security Centre: https://www.ncsc.gov.uk/news/apache-log4j-vulnerability