CRITICAL ALERT: Log4Shell

By Cynthia J. Larose

We want to make our readers and your security operations aware of a critical vulnerability that is actively being exploited in the wild.

CVE-2021-44228 can easily be exploited to gain complete access to the targeted system by getting the application to log  a specially crafted string.

Government organizations and the private sector are responding to the disclosure of a critical vulnerability affecting the widely used Log4j logging utility, as exploitation attempts are on the rise.

Tracked as CVE-2021-44228 and dubbed Log4Shell — that can be exploited to gain complete access to the targeted system by getting the affected application to log a specially crafted string.

Palo Alto Networks has an analysis here.

The list of affected companies and software includes Apple, Tencent, Twitter, Baidu, Steam, Minecraft, Cloudflare, Amazon, Tesla, IBM, Pulse Secure, Ghidra, ElasticSearch, Apache, Google, Webex, LinkedIn, Oracle, Cisco and VMware. The list is being regularly updated.

Subscribe To Viewpoints

Published

Viewpoint Topics

Professionals

Related Practices

Author

Cynthia J. Larose

Member / Co-Chair, Privacy & Cybersecurity Practice

Cynthia J. Larose is Chair of the firm's Privacy & Cybersecurity Practice, a Certified Information Privacy Professional-US (CIPP-US), and a Certified Information Privacy Professional-Europe (CIPP-E). She works with clients in various industries to develop comprehensive information security programs on the front end, and provides timely counsel when it becomes necessary to respond to a data breach.