Log4j vulnerability - what everyone needs to know
Log4shell is a critical vulnerability in the widely-used logging tool Log4j, which is used by millions of computers worldwide running online services. A wide range of people, including organisations, governments and individuals are likely to be affected by it. Although fixes have been issued, they will still need to be implemented.
What’s the issue?
Last week, a vulnerability was found in Log4j, an open-source logging library commonly used by apps and services across the internet. If left unfixed, attackers can break into systems, steal passwords and logins, extract data, and infect networks with malicious software.
Log4j is used worldwide across software applications and online services, and the vulnerability requires very little expertise to exploit. This makes Log4shell potentially the most severe computer vulnerability in years.
Who is affected by this?
Almost all software will have some form of ability to log (for development, operational and security purposes), and Log4j is a very common component used for this.
For individuals, Log4j is almost certainly part of the devices and services you use online every day. The best thing you can do to protect yourself is make sure your devices and apps are as up to date as possible and continue to update them regularly, particularly over the next few weeks.
For organisations, it may not be immediately clear that your web servers, web applications, network devices and other software and hardware use Log4j. This makes it all the more critical for every organisation to pay attention to our advice, and that of your software vendors, and make necessary mitigations.
What is Log4j?
Modern software can be large, powerful, and complex. Rather than a single author writing all the code themselves as was common decades ago, modern software creation will have large teams, and that software is increasingly made out of ‘building blocks’ pulled together by the team rather than entirely written from scratch.
A team is unlikely to spend weeks writing new code when they can use existing code immediately.
Log4j is one of the many building blocks that are used in the creation of modern software. It is used by many organisations to do a common but vital job. We call this a ‘software library’.
Log4j is used by developers to keep track of what happens in their software applications or online services. It’s basically a huge journal of the activity of a system or application. This activity is called ‘logging’ and it’s used by developers to keep an eye out for problems for users.
What if …
… I know we are using Log4j in applications developed in house?
Update to the latest version of Log4j (currently Log4j 2.17.0).
… I know Log4j is present in applications supplied by a third party?
Keep any such products updated to the latest version. More products may release patches over the next few days and weeks, and so organisations should make sure they’re checking for updates regularly.
… I don’t know if anything we use is using Log4j?
Ask your in-house developers and/or third-party suppliers. We have asked that developers of affected software communicate promptly with their customers to enable them to apply available mitigations or install updates. In turn, you should act promptly on any such communications from developers.
What else can we do?
- Check your systems for the use of Log4j
- Check the list of vulnerable software
- Contact software vendors
- Set Web Application Firewall rules
- Check for scanning activity
- Check for exploitation
- Sign up for the NCSC’s Early Warning
See the vulnerability alert for more technical detail on these steps.
What if we have been compromised because of this vulnerability?
If you are a UK organisation compromised by this vulnerability, report to the NCSC via our website. See the vulnerability alert for the kind of activity you should report.
