Log4j vulnerability poses critical security risk

In December, a vulnerability in the open-source Apache logging framework Log4j led to security teams across the globe rushing to secure and patch their systems. Log4j is so widely-used that Jen Easterly, director at the Cybersecurity and Infrastructure Security Agency, called it the most serious security flaw she’d seen in her career, warning that businesses everywhere should make securing their systems against the vulnerability an urgent priority. As Log4j is an embedded Java logging library present in thousands of software products, security teams must write their own patches. The flaw, named Log4Shell, allows malicious Java code to be logged, granting bad actors access to the system in question. Significant attacks taking advantage of the vulnerability have been seen already, with ransomware gang NightSky targeting companies through VMWare Horizon systems, which use the Log4j framework. There have been reports of ransom demands of up to $800,000, demonstrating how severe the damage could be if left unpatched.