On Friday 10th December, Apache announced a critical vulnerability within the LOG4J logging library for Java, called Log4Shell or LogJam.
At 10/10 severity, this is without question one of the most serious IT vulnerabilities to have been discovered in recent memory, as Log4J is often installed on both Linux and Windows systems either directly, or often as a requirement of another package or system.
If you are unsure if this has been added to any of your servers or developed apps, we’d recommend checking with your apps or development team.
Rockmore is encouraging all clients to validate whether their own applications and environments use Log4J and to upgrade to the latest version where possible, applying the appropriate mitigation where upgrade isn’t an option.
Here is some further reading on this:
https://www.ncsc.gov.uk/news/apache-log4j-vulnerability
https://www.wired.com/story/log4j-flaw-hacking-internet/
https://thehackernews.com/2021/12/apache-log4j-vulnerability-log4shell.html
There is also a Log4J checker utility if you need it – found here https://github.com/mergebase/log4j-detector
