Log4J Vulnerability Response

It's been widely reported, and widely felt, and both for the most unfortunate. A new zero-day exploit has been reported targetting the well-established Log4J2 library allowing an attacker to remotely execute instructions. The vulnerability has been reported with CVE-2021-44228 against the log4j-core jar and has been fixed in Log4J v2.15.0.

As you’ve probably heard, a critical vulnerability in a Java Library called Log4J was discovered last week, affecting millions of websites running Java applications around the world. Log4J is a common software present on most Java web applications, including on certain cPanel servers.

Our team has already taken the necessary measures and all iTMG servers have now been duly patched, wherever we had access and permission.

What is log4j and why is it a problem?

Cybercriminals are actively exploiting a vulnerability that affects the Java logging library Log4j. This exploit was first discovered on December 9 and poses a great risk of unauthenticated remote code execution and access to servers.

The exploit has the potential to let hackers compromise millions of devices across the internet, as Log4j is used in many forms of software, such as cloud server platforms, web applications, and email services. And as such, there is a wide range of software that could be at risk from attempts to exploit the vulnerability.

Who is affected by the log4j vulnerability?

Log4j is used in a variety of software applications by a large number of popular online platforms, including Apple, Twitter, Amazon, Tesla, and Steam to name only a few.

If you, or your developer has made changes and iTMG has not been involved, we strongly recommend you confirm with them potential Log4j inclusion in your software

Is there technology in my system that could be affected?

Short answer, no: iTMG applications typically use - but not always - Java Spring. Yes this is Java, but not a flavour or configuration that uses Log4j. So the Log4j exploit does not affect iTMG applications. 

At the server level, Dedicated VM, VPS, and Managed Dedicated Servers have been updated with the latest patches. Unmanaged Dedicated Servers without management programmes iTMG does not touch, would not have been patched. We recommend you upgrade as a priority.

Long answer, possibly in specific configurations: to date we have not found any customized software by businesses or 3rd party developers to use Log4j. If you have a 3rd party developer that have made changes to your system that iTMG has not been involved with, we recommend you reach out to them to confirm the Log4j status of changes/additions they may have made.

If you're not sure, drop us a ticket at https://itristanmedia.com/support