Blog
← Back to Blog
December 13, 2021 cybersecurity

Log4Shell: The Worst Vulnerability in a Decade Is Being Exploited Right Now

Critical software vulnerability

A critical vulnerability (CVE-2021-44228) in Apache Log4j, an open-source logging library used by millions of Java applications worldwide, was disclosed on Friday. It's called Log4Shell, and it's being described as one of the most severe vulnerabilities in the history of the internet.

The vulnerability allows an attacker to execute arbitrary code on any system running a vulnerable version of Log4j. No authentication required. The exploit is trivially easy to execute. And Log4j is everywhere.

Why This Is So Serious

It's Everywhere

Log4j is used by an enormous number of enterprise applications, cloud services, and consumer products. Apple, Amazon, Google, Microsoft, Cisco, VMware, and thousands of other vendors use Log4j in their products. If it runs Java, there's a good chance it uses Log4j.

It's Easy to Exploit

The exploit can be triggered by simply sending a specially crafted text string to any application that logs user input using Log4j. A chat message, a search query, a form field, even a User-Agent header. If the application logs the input and uses a vulnerable version of Log4j, the attacker can execute code on the server.

It's Already Being Exploited

Within hours of disclosure, mass scanning and exploitation began. Cryptomining malware, ransomware, and state-sponsored espionage groups are all actively exploiting Log4Shell. The window between disclosure and mass exploitation was essentially zero.

What Your Practice Should Do

Contact Your Vendors

You probably don't run Log4j directly. But your vendors might. Contact every software vendor you use (PMS, imaging, cloud services, patient portal, backup) and ask if their products use Log4j and whether they've patched.

Update Everything

Apply all available updates from every vendor. Many are releasing emergency patches to address Log4j. Prioritize internet-facing systems.

Monitor for Unusual Activity

If any of your systems were vulnerable before patching, they may have been compromised. Monitor for unusual behavior: unexpected outbound connections, new user accounts, unfamiliar processes running.

Talk to Your IT Provider

Your IT provider should be actively assessing your environment for Log4j exposure. If they haven't contacted you about this, call them. This is a "drop everything" situation.

The Open-Source Reality

Log4j is maintained by a small team of volunteers. This critical piece of infrastructure, used by billions of dollars' worth of commercial products, is maintained as a free, open-source project. The people who found and disclosed the vulnerability, who are patching it, and who are responding to the crisis are largely unpaid volunteers.

The tech industry has a dependency problem. We rely on open-source software without investing in its maintenance and security. Log4Shell is the consequence.

Patch. Update. Monitor. And thank the open-source maintainers who are working through the weekend to fix this.