The log4Shell vulnerability, discovered by the Alibaba Cloud Security Team and disclosed by Kronos on December 9, 2021, has affected multiple versions of the Apache log4j 2 utility. The vulnerability (CVE-2021-44228, CVSS v. 10.0) affects Apache log4j 2 versions 2.0 and 2.14.1. According to Randori, “the vulnerability allows threat actors to execute unauthenticated remote code execution,” which means that “any scenario that allows a remote connection to supply arbitrary data that is written to log files by an application utilizing the Log4j library is susceptible to exploitation. This vulnerability is being exploited in the wild and thousands of organizations are impacted. This vulnerability poses a significant and active real world risk to affected systems—PLEASE TAKE IMMEDIATE ACTION.”  (www.randori.com)

A second vulnerability was discovered on December 14, 2021. According to Unit 42 of Palo Alto Networks, exploitation of the vulnerability “was incredibly easy to perform” and “massive scanning activity for CVE-2021-44228 has begun on the internet with the intent of seeking out and exploiting unpatched systems. We highly recommend that organizations upgrade to the latest version (2.16.0) of Apache log4j for all systems” which will also patch the vulnerability found on December 14, 2021.

According to the Cybersecurity and Infrastructure Security Agency’s (CISA) alert on December 15, 2021: “Apache has released a security update to address a second severe vulnerability affecting its Log4j software library, which a remote attacker could exploit to cause a denial-of-service condition…. Affected organizations that have already upgraded to Log4j 2.15.0 will need to upgrade to Log4j 2.16.0 to protect against both vulnerabilities. Log4j is broadly used in a variety of consumer and enterprise services, websites, applications and operational technology products to log security and performance information….It is noted that this second vulnerability could cause a ‘denial-of-service’ condition. A cyberattack that interrupts or shuts down mission-critical medical technology could cause delays in health care delivery and risk patient safety. Thus, we strongly advise the field to expeditiously implement this second patch, and we urge the government to take immediate countermeasures against any cyber actor and their infrastructure identified as attempting to exploit these vulnerabilities.”

The bottom line right now is to patch as quickly as possible if you have not already done so and hope you have not already been compromised.

Photo of Linn Foster Freedman Linn Foster Freedman

Linn Freedman practices in data privacy and security law, cybersecurity, and complex litigation. She is a member of the Business Litigation Group and the Financial Services Cyber-Compliance Team, and chairs the firm’s Data Privacy and Security and Artificial Intelligence Teams. Linn focuses her…

Linn Freedman practices in data privacy and security law, cybersecurity, and complex litigation. She is a member of the Business Litigation Group and the Financial Services Cyber-Compliance Team, and chairs the firm’s Data Privacy and Security and Artificial Intelligence Teams. Linn focuses her practice on compliance with all state and federal privacy and security laws and regulations. She counsels a range of public and private clients from industries such as construction, education, health care, insurance, manufacturing, real estate, utilities and critical infrastructure, marine and charitable organizations, on state and federal data privacy and security investigations, as well as emergency data breach response and mitigation. Linn is an Adjunct Professor of the Practice of Cybersecurity at Brown University and an Adjunct Professor of Law at Roger Williams University School of Law.  Prior to joining the firm, Linn served as assistant attorney general and deputy chief of the Civil Division of the Attorney General’s Office for the State of Rhode Island. She earned her J.D. from Loyola University School of Law and her B.A., with honors, in American Studies from Newcomb College of Tulane University. She is admitted to practice law in Massachusetts and Rhode Island. Read her full rc.com bio here.