The facts:
After the Microsoft vulnerability in early December, it is now the Log4Shell security vulnerability that is making headlines. It was the Bundesamt für Sicherheit in der Informationstechnik (BSI) (the German equivalent of ANSSI) that revealed its existence on December 10, 2021.
It concerns the Log4j logging library developed by the Apache Foundation. A library, also known as a software library, is a set of functions and classes that have already been coded in a specific language for the purpose of developing software. When misused, the Log4j library can execute unauthorized code on a server.
This flaw is worrying because the Log4j library is widely used around the world, particularly by large companies. Versions 2.0 to 2.14.1 are affected by this vulnerability. Furthermore, it is a zero-day flaw, meaning that no patch was available when it was discovered.
According to Jennifer Easterly, director of CISA, "This is one of the most serious, if not the most serious, vulnerabilities I have encountered since the beginning of my career," with a threat rating of 10. (Source: France24)
Guillaume Poupard, Director General of ANSSI: "I'm afraid that by digging deeper (...) we will realize that the consequences could be relatively serious."he said, adding: "My fear is that the vulnerability has been exploited for much longer than we imagine." This flaw is indeed being actively exploited.
Patches have been developed.
Apache has released a fix with version 2.15.0 of Log4j , which we recommend you install as soon as possible.
For the organizations concerned (companies, government agencies, etc.), updating their tools can be tedious. It takes time because they have to ensure that the patch does not cause compatibility issues. (Source: LeMonde) And others may not yet be aware that they are vulnerable...
In addition to the Apache patch, many publishers using Log4j are gradually releasing other patches. However, if you encounter difficulties migrating to this version, workarounds can be temporarily applied.
Avant de Cliquer raises awareness about cybersecurity...
- First, we recommend that you check whether you are affected by this vulnerability by making an inventory of your applications.
- Update the library to version 2.16.00 (or temporary workaround).
- Check your logs to ensure there has been no attack.
- Implement technical and organizational solutions within your organization to raise awareness of cybersecurity among your teams.
