Recently, the Australian Cyber Security Centre has issued a critical alert for organisations to address a serious cyber security flaw. Learn more about the issue below, and find out if your software could be affected.
Log4j is a Java logging utility which is a project of the Apache Software Foundation.
Log4j is very ubiquitous within the Java ecosystem. If you are running Java based application, chances are your app will be utilising Log4j at some level.
Recently, a researcher from the Alibaba Cloud Security Team discovered a remote code execution (RCE) vulnerability in the popular Java logging framework Log4j.
The vulnerability is exploited by leveraging a Log4j feature called “Message Lookup Substitution” which enables hacker to fetch an external java code to be executed.
Log4j flaw is very serious. It is rated 10/10 on the CVSS score. This flaw can allow attackers total control of your server and steal your confidential data.
Anyone running Java applications that includes the vulnerable Log4j library. In some instances, even if your own application code does not include log4j, but the app may be running on servers that does include log4j.
On Github, a list of companies impacted included Apple, Tencent, Steam, Twitter, Baidu, DIDI, JD, NetEase, CloudFlare, Amazon, Tesla, Google, Webex, LinkedIn, etc.
According to LunaSec, many services are vulnerable to the Log4Shell exploit, including gaming service Steam, Apple’s iCloud, etc. Microsoft’s Minecraft
According to our investigation, this vulnerability can be mitigated by 2 configuration changes as follows
Our team are currently auditing all of our solutions for this vulnerability utilising scanning tools, and working with clients to update their software. Applications have been patched and we continue to evaluate the situation and will apply future patches and mitigations as required
If you are concerned about your solution or would like some advice around this issue, please contact us.
For further details on the Log4j flaw, please refer to the statement on the Australian Cyber Security Centre website. 
Kurnia (Ken) Wonoatmojo DevOps Specialist
Ken Wonoatmojo is technical specialist with specialist skills in DevOps and backend APIs. Ken is passionate about designing fit-for-purpose solutions for enterprise clients, offering technical advice and support. Connect with him on LinkedIn.
Log4j is a Java logging utility which is a project of the Apache Software Foundation.
Log4j is very ubiquitous within the Java ecosystem. If you are running Java based application, chances are your app will be utilising Log4j at some level.
Recently, a researcher from the Alibaba Cloud Security Team discovered a remote code execution (RCE) vulnerability in the popular Java logging framework Log4j.
The vulnerability is exploited by leveraging a Log4j feature called “Message Lookup Substitution” which enables hacker to fetch an external java code to be executed.
Log4j flaw is very serious. It is rated 10/10 on the CVSS score. This flaw can allow attackers total control of your server and steal your confidential data.
Anyone running Java applications that includes the vulnerable Log4j library. In some instances, even if your own application code does not include log4j, but the app may be running on servers that does include log4j.
On Github, a list of companies impacted included Apple, Tencent, Steam, Twitter, Baidu, DIDI, JD, NetEase, CloudFlare, Amazon, Tesla, Google, Webex, LinkedIn, etc.
According to LunaSec, many services are vulnerable to the Log4Shell exploit, including gaming service Steam, Apple’s iCloud, etc. Microsoft’s Minecraft
According to our investigation, this vulnerability can be mitigated by 2 configuration changes as follows
Our team are currently auditing all of our solutions for this vulnerability utilising scanning tools, and working with clients to update their software. Applications have been patched and we continue to evaluate the situation and will apply future patches and mitigations as required
If you are concerned about your solution or would like some advice around this issue, please contact us.
For further details on the Log4j flaw, please refer to the statement on the Australian Cyber Security Centre website.
Kurnia (Ken) Wonoatmojo DevOps Specialist
Ken Wonoatmojo is technical specialist with specialist skills in DevOps and backend APIs. Ken is passionate about designing fit-for-purpose solutions for enterprise clients, offering technical advice and support. Connect with him on LinkedIn.
https://lapisit.com.au/wp-content/uploads/2021/11/Blog-Background.png
807
1920
Hana Rellosa
https://lapisit.com.au/wp-content/uploads/2021/08/LapisLogo-Header-300x138.png
Hana Rellosa2024-07-25 09:57:292024-07-25 09:57:30Why progressive web apps are good for business
https://lapisit.com.au/wp-content/uploads/2023/03/pexels-jorge-urosa-5434981-scaled.jpg
1707
2560
Jeff Dowsing
https://lapisit.com.au/wp-content/uploads/2021/08/LapisLogo-Header-300x138.png
Jeff Dowsing2023-03-17 13:03:522024-05-03 08:57:17Melbourne Water’s Frog Census Working Overtime
https://lapisit.com.au/wp-content/uploads/2023/02/whale-jumping-above-sea-water-3309870-scaled.jpg
1798
2560
Jeff Dowsing
https://lapisit.com.au/wp-content/uploads/2021/08/LapisLogo-Header-300x138.png
Jeff Dowsing2023-02-28 14:34:442023-02-28 14:55:02Whale saving technology warrants wider application
https://lapisit.com.au/wp-content/uploads/2022/02/Blog-Background-5.png
807
1920
Imran Qazi
https://lapisit.com.au/wp-content/uploads/2021/08/LapisLogo-Header-300x138.png
Imran Qazi2022-02-24 20:31:552022-04-13 14:59:58Don’t make these mistakes with your field service solution
https://lapisit.com.au/wp-content/uploads/2022/01/Blog-Background-2.png
807
1920
John Heskins
https://lapisit.com.au/wp-content/uploads/2021/08/LapisLogo-Header-300x138.png
John Heskins2022-01-18 11:32:442024-05-03 08:57:27What makes a successful citizen science program?
https://lapisit.com.au/wp-content/uploads/2021/12/Blog-Background-1.png
807
1920
Lapis
https://lapisit.com.au/wp-content/uploads/2021/08/LapisLogo-Header-300x138.png
Lapis2021-12-23 23:26:032022-04-13 15:00:35The security flaw you need to know – ‘Log4j’
https://lapisit.com.au/wp-content/uploads/2021/11/WayfindingBlogHeader_Proportionate.png
807
1920
Imran Qazi
https://lapisit.com.au/wp-content/uploads/2021/08/LapisLogo-Header-300x138.png
Imran Qazi2021-11-12 15:04:082022-04-13 15:00:59Healthcare needs digital wayfinding – and here’s why
What makes a successful citizen science program?