Cybersecurity

Red alert: Log4Shell threatens countless IT applications

The German Federal Office for Information Security (BSI) has upgraded its cyber security warning for Log4Shell to “red” (link in German). According to their experts, the critical vulnerability in the widely used Java library Log4j leads to an extremely critical threat situation. “We expect to see cyber claims in this context, which may occupy us for a while longer,” says Kai Fenneken (ERGO Group). 

On Twitter, the hashtags #Log4Shell and #Log4j have been trending since the weekend. IT security experts are racking their brains on how to secure the vulnerability and fend off attacks. The following media reports describe the problem and the state of affairs comprehensively and understandably:

Wired.com
The Log4J Vulnerability Will Haunt the Internet for Years

A vulnerability in the open source Apache logging library Log4j sent system administrators and security professionals scrambling over the weekend. Known as Log4Shell, the flaw is exposing some of the world's most popular applications and services to attack, and the outlook hasn't improved since the vulnerability came to light on Thursday. If anything, it's now excruciatingly clear that Log4Shell will continue to wreak havoc across the internet for years to come.

https://www.wired.com/story/log4j-log4shell/

TheVerge.com
‘Extremely bad’ vulnerability found in widely used logging system

Security teams at companies large and small are scrambling to patch a previously unknown vulnerability called Log4Shell, which has the potential to let hackers compromise millions of devices across the internet.

https://www.theverge.com/2021/12/10/22828303/log4j-library-vulnerability-log4shell-zero-day-exploit

threatpost.com:
Log4Shell Is Spawning Even Nastier Mutations

What some call the worst cybersecurity catastrophe of the year – the Apache Log4j logging library exploit – has spun off 60 bigger mutations in less than a day, researchers said.

https://threatpost.com/apache-log4j-log4shell-mutations/176962/

“The extent of the specific threat situation cannot be conclusively determined at present, and it is definitely too early to make any concrete statements. Our customers are generally required to update their software and hardware regularly and to apply critical patches without delay,” says Kai Fenneken (ERGO Group). Whether this still helps in the current case, however, is questionable. It already seems to be too late for that with Log4j.

Text: Kristina Tewes