Snyk gives warning: update your Apache Log4j software immediately
London, December 12 - Last Friday, a critical vulnerability was discovered in the popular open source software, Apache Log4j 2. Developer-first security company, Snyk, warns of the potentially large impact on companies.
The vulnerability, Log4Shell, operating within the popular Java logging framework is published as CVE-2021-44228 and categorized as Critical with a CVSS score of 10 (the highest possible score).
Many companies worldwide use Apache Log4j 2. Given the very serious vulnerability, it is imperative that companies update all current versions of Log4j 2 to 2.14.1 immediately to version 2.15.0 or higher. This is the only way to fix the security flaw.
Brian Vermeer, Senior Developer Advocate and Java Champion at Snyk, emphasizes:
"Many application frameworks in the Java ecosystem use this logging framework by default. For example, Apache Struts 2, Apache Solr, and Apache Druid are all affected. Apart from that, Apache Log4J is also used in many Spring and Spring Boot applications.
I would like to emphasise that this situation is very serious. There are currently warnings coming in from across the industry that attackers are currently actively looking for servers that are vulnerable to Log4Shell attacks. So we recommend everyone to check and update their applications to the latest version."
If you are looking for more information about this vulnerability, read Brian Vermeer's blog here. In addition, Snyk is available to answer questions about this vulnerability and its possible consequences if of interest.