Taylor Jolin

Technology Solutions Consultant, Musician, Animator

Tag: log4j

21Dec

So what is Log4j and why do we care?

Well, first, we need to understand what Log4j is. Essentially, Log4j is the logging function that is built-in in Java applications. This current vulnerability is affecting Apache servers; however, I feel that it will spread to a larger domain of targets aside from web servers.

On December 9th, the initial vulnerability was discovered, and software and hardware makers scrambled to issue patches for their products. A few days later, however, Hideki Okamoto of Akamai Technologies and other researchers found additional vulnerabilities within the patches.

So why is this a big deal? Well, Java is a colossal language and has a presence in a large number of consumer products. This vulnerability allows for the remote execution of code. When exploited, Log4J enables the attacker to remotely inject code into services that use the Log4j library with system-level privileges.

So what do we do? Updating Java is not enough. One thing you can do is update to Log4j2 version 2.16. If you cannot update, you can mitigate this vulnerability by setting either the system property log4j2.formatMsgNoLookups or the environmental variable LOG4J_FORMAT_MSG_NO_LOOKUPS to TRUE.