In the past few hours a new dangerous one has been discovered vulnerability web, which experts have already defined as one of the worst to emerge on the web in recent years. Among the entities threatened there are also giants such as Amazon, Apple, Twitter, which are running for cover to protect themselves. The ‘bug was called Log4shell and afflicts the open source module log4j 2 from Apache software foundation, the heart of the majority of applications hosted by servers around the world.
Cybersecurity alert: beware of Log4shell
The flaw in question allows remote code execution without authentication, which, as specified by theNational Cybersecurity Agency, “Involves the presence of a vast and diversified attack surface on the entire Internet network and, considering its simplicity of exploitation even by unsophisticated actors, makes the vulnerability particularly serious”.
It is therefore necessary to minimize the exposure of the vulnerability “by applying the necessary measures to its servers in the shortest possible time”. The Csirt Italia, the incident response team set up at the Agency, is publishing on its website the security updates to which IT managers of public and private services are invited to refer, including the procedures to resolve the vulnerability.
The first signs of exploitation of Log4shell they seem to have appeared on Minecraft, very popular online game with kids and owned by Microsoft. Log4j 2 is a Java-based logging library widely used in business systems development, it is included in various software and often directly integrated into important applications, which is why the scope of the vulnerability could be enormous.
Since a Java library is involved, which is by nature multiplatform, the impact affects both Windows and Linux and backend systems and microservices are also potentially vulnerable. However, the Apache software foundation explained that the vulnerability has been fixed in the Log4j 2.15.0 update, so the suggestion is to install it as soon as possible.