A critical vulnerability has been discovered in Apache Log4j (CVE-2021-22448), which has a maximum CVSS score of 10. The vulnerability is considered to be easy to exploit, and unfortunately Apache Log4j is widespread.
ExpandIT customers are not affected by this critical vulnerability in Apache Log4j. Log4j is a Java library and ExpandIT does not use Java, neither in our solutions nor in our infrastructure.
Apache Log4j is an open source Java-based logging framework, which is used in many Java applications, affecting products and systems in cloud and on-prem.
The vulnerability is exploited by sending a specially configured package to a system using Apache Log4j. The package instructs the system to download and subsequently execute malicious software.
The vulnerability was identified on December 9, 2021, so it is very new, which means that there are still many systems that are not patched or have an available patch.
By submitting a specially crafted request to a vulnerable system, depending on how the system is configured, an attacker is able to instruct that system to download and subsequently execute a malicious payload.
What do I do now?
We recommend that you keep an eye on advisories from ExpandIT and the manufacturers.
ExpandIT will update our customers through newsletters and on social media as soon as we have new information.
Do you want to know more? Please contact firstname.lastname@example.org