Log4j is a java-based tool from Apache’s open source library used for parsing logs that never seems to have made headlines before this past weekend. Now, following the December 9th public announcement of a vulnerability in this tool, public and private sector security partners are issuing warnings about this “critical vulnerability.” While the full scope and exploitability of this vulnerability remains to be seen, the Cybersecurity and Infrastructure Agency (“CISA”) has issued a statement that they are taking “urgent action.” Noting this vulnerability “poses a severe risk,” CISA “is proactively reaching out to entities whose networks may be vulnerable,” and is leveraging it scanning and intrusion detection tools “to help government and industry partners identify exposure to or exploitation of the vulnerability.” While CISA has issued basic guidance (including to patch any known externally-facing uses of Log4j), we can expect more intelligence and mediation recommendations in the coming days and weeks.
[View source.]
