The Log4j Vulnerability: A Plain English Guide for UK Businesses

Published
The Log4j Vulnerability

Executive Summary

  • In December 2021, a vulnerability was discovered in the Apache Log4j framework, which is a type of cyber security logging software used in websites and web apps across the world.

  • The Apache Log4j vulnerability, if left unattended, could allow malicious individuals to break into online-based systems, including cloud services and applications, to compromise data.

  • All UK businesses (and their IT support teams) should take action if they’re using any systems which rely on Apache Log4j. This article will explain what the vulnerability is and which actions companies should take to resolve it.

Introduction

Every now and then, a cyber security issue comes to light which affects almost every business on the planet.

In December 2021, that’s exactly what happened with the Apache Log4j 2 vulnerability.

IT support teams everywhere scrabbled to limit the risks of this vulnerability, which effectively created an access point for cyber attackers, and the problem has now been patched – but some action may still be required.

If all of this sounds like technical jargon, don’t worry, we’ve got you covered. In this guide, we’ll explain what Log4j is, how it was compromised, and what IT support teams need to know to secure their businesses.

What is Apache Log4j?

Log4j is a logging tool designed to maintain a list of events which occur in the application which developers or IT support teams can then review to diagnose problems and identify issues.

All business systems, especially large cloud-based systems like Google’s Workspace or Microsoft 365, rely on lots of other, smaller, systems to keep up and running. They do this mainly for practical reasons: it would simply take far too long to code every new element of an application by hand every time, so developers use existing code instead.

Apache Log4j is an example of one of these smaller systems which make up a larger whole. It is a framework (also known as a software library) written in a coding language called Java and it’s open-source, meaning it’s freely used in different software all over the world. For this reason, the scale of the potential risk posed by the Log4j vulnerability is larger than any cyberthreat in recent memory.

What is the Apache Log4j vulnerability?

On 9th December 2021, the existence of a vulnerability in Apache Log4j version 2.15 and below was disclosed. The exploit’s full name is “Log4Shell (CVE-2021-44228)” and it was assigned a risk rating of 10 – the highest possible risk – by the Apache. At the time of the announcement, the National Cyber Security Centre (NCSC) revealed that they had already detected attempts to scan for the affected software libraries

Without going in to too much technical depth, this exploit could essentially allow an attacker to access a piece of software which uses the Log4j software library, then execute their own unauthorised code on that device. This code could steal files, delete data, create botnets, carry out cryptomining, or do practically anything the attacker desired. In short, it’s very dangerous.

The Apache Log4j vulnerability falls into the category of a ‘zero-day’ cyber attack. We’ve covered this in previous blog posts, but essentially that means that the exploit is entirely new and so has no immediate fix available – or had no fix available at the time, at least.

Has the Log4j vulnerability been fixed or patched?

Yes.

Because the vulnerability was privately disclosed to Apache three days prior to the public announcement, a patch to fix the exploit was actually available as early as December 6th 2021. This meant that Apache were able to announce the problem and the solution at the same time. However, even their initial fix had some teething problems, meaning updates were still being pushed as of December 18th 2021.

However, it fell to IT support teams and developers all over the world to actually distribute and install the updated version of the software library, which took some time. Even now, some systems will still be vulnerable to this attack due to not being updated – which emphasises how important it is for businesses to take mitigative action.

What IT support teams need to know about Log4j vulnerability

Since the discovery of the Apache Log4j vulnerability, it has been being tracked in detail by the NCSC which has maintained a timeline of key events.

It’s here that IT support teams should focus their attention for the latest updates; however, as of early January 2021, several measures have been taken to contain the Log4j vulnerability.

  • If any applications in your business have been developed in-house and are using the versions of Apache Log4j between versions 2.0-beta9 and 2.15, they should be immediately updated to at least version 2.17.0. Your IT support or development teams can help you do this.

  • If you’re unsure whether your third-party applications are using a vulnerable version of Log4j, ensure you update them to the latest version immediately, as well as checking with the software’s vendor to see if there was a risk and if it was patched. Big tech players like Microsoft are already pushing updates to ensure their customers are protected – though most of their products are unaffected.

  • Finally, double-check with your IT support team that none of your web servers, web-based applications, network devices, or other software and hardware are using an affected version Log4j. If so, these must be updated immediately to close potential cyber security holes.

Need a reliable IT support team to keep your business cybersafe?

The scale of the Apache Log4j vulnerability is a good reminder of how important robust cyber security systems and policies can be. Whether that’s ensuring systems are up to date at all times to monitoring for potential zero-day breaches, your IT support team is on the front line of this effort.

At Get Support, we pride ourselves on delivering IT support agreements that include watertight cyber security advice, along with the deployment and management of the systems required to maintain this security. If you’re not sure your company is cybersecure, we can help make it happen.

To learn more about exactly how we could help your business stay safe, call the IT support experts on 01865 59 4000 or just enter your details into the form below.

Latest From The Blog

Microsoft is Finally Killing the Control Panel… Or Is It?  

Microsoft is finally saying goodbye to the Control Panel in favour of the Settings app. But is there more to this story than meets the eye?

A Fond Farewell to Microsoft Publisher

After a 33-year career, Microsoft announced that Microsoft Publisher will finally reach end of life status in October 2026.

Microsoft 365 Copilot Release Roundup: June & July 2024

Discover the latest and greatest updates for Microsoft Copilot released during June and July 2024. Includes the new “Catch-up” feature, AI-powered PDFs, and more.