The German Federal Office for Information Security (BSI) has issued a level red cyber security warning. The reason is a critical vulnerability in the widely used Java library Log4j, which the BSI considers a serious threat situation.
Log4j version-dependent vulnerability
Log4j is a popular and widely used logging library for Java applications that is used to aggregate log data within an application.
The Log4j vulnerability disclosed Dec. 9 affects versions 2.0 through 2.14.1 and is patched as of 2.15. According to the proof of concept (PoC) also published on GitHub on December 9, the vulnerability allows attackers to execute their own code on target systems and simply paralyze individual applications and entire servers.
Potential risks in Log4j
The critical vulnerability can be used not only to install further malware, but also to read confidential data. This does not even require external malware, a simple request is enough. This critical vulnerability therefore potentially affects all Java applications accessible from the Internet that work with Log4j.
There are already numerous examples of scripts that randomly scan systems for vulnerability. There is also increasing evidence of attempts to exploit the vulnerability through botnets.
We have reacted
Our SysOps reacted immediately and applied the necessary security patches to affected systems, upgraded Elasticsearch and removed unused Elasticsearch instances. In addition, all file systems on our servers were searched for the keyword "Log4js" in order to identify further usage locations of the vulnerable logging library. Since only Java applications are affected by the current vulnerability, it was not necessary to scan PHP applications.
If you have any questions about Log4j, the security of your system or other topics, please feel free to contact us at any time.