Update your stuff! Another CVE-2021-44228 Log4j PSA…

Last week, CVE-2021-44228 was published for a critical (perfect 10 CVSS score!) vulnerability in Apache Log4j, which is a widely used component in thousands and thousands of internet-facing applications including Minecraft, Ubiquiti Unifi, Apple products, and many others.

Many vendors have been working tirelessly through the weekend to update their infrastructure or publish patches and software updates to update Log4j implementations in their products to mitigate this critical vulnerability.

The vulnerability itself has been named Log4Shell by security researchers, and if you’re interested in a quick explainer video, here’s a good one: Critical Vulnerability In Java log4j Affecting UniFi, Apple, Minecraft, and Many Others! - YouTube

Researchers at Huntress worked through the weekend to publish a tool to check for the vulnerability, which you can find on their GitHub page: huntresslabs/log4shell-tester (github.com)

Also, we found that several versions of OWASP’s ZAP contain a vulnerable version of Log4j. ZAP is used by security professionals to find and fix vulnerabilities in web applications. Developers and DevOps teams may have ZAP integrated into their CI/CD pipelines, and while not internet-facing, development environments are still high-value targets for attackers.

Please check your infrastructure (prioritizing anything internet-facing first!) for applications which contain Log4j and follow vendor instructions to update them as soon as you can!

</PSA>