On Dec 9th, a critical zero-day vulnerability - CVE-2021-44228 - was announced concerning the Java logging framework - Log4j All current versions of log4j2 up to 2.14.1 are vulnerable. To remediate this vulnerability, please update to version 2.15.0 or later.

Audit logging involves recording transactions and system events, making it an invaluable tool for regulatory compliance, digital forensics, and information security. In a typical Kubernetes ecosystem, auditing involves providing chronological, activity-relevant records documenting events and actions in a cluster. Modern logging tools come with aggregation and analytical functionalities so that teams can use log data to mitigate security threats.

A critical vulnerability in the popular log4j library is currently being actively targeted on a broad global scale and possibly exploited based on advisories from multiple CERTs and vendors: CISA, Apache, etc. This Java library is integrated into many IT and DevOps tooling and workflows. On Dec 10, 2021, Apache released version 2.15.0, fixing CVE-2021-44228 (dubbed Log4Shell) an RCE with a maximum CVSSv3 score of 10.

When DevOps emerged more than ten years ago, the main focus was to bridge the gaps between dev and ops teams. This was achieved by introducing automation to the processes of designing, building, testing, and deploying applications. But as development teams continue to deliver faster and more frequently, security teams find it difficult to keep up. Often, they become the bottleneck in the delivery pipeline.

If you feel like you can’t go a week without hearing about yet another data breach on the news, you’re not experiencing déjà vu. Data breaches are on the rise, and massive organizations like Solar Winds and Facebook aren’t the only ones vulnerable to attack.

Today (Dec.10, 2021), a new, critical Log4j vulnerability was disclosed: Log4Shell. This vulnerability within the popular Java logging framework was published as CVE-2021-44228, categorized as Critical with a CVSS score of 10 (the highest score possible). The vulnerability was discovered by Chen Zhaojun from Alibaba’s Cloud Security team. All current versions of log4j2 up to 2.14.1 are vulnerable. You can remediate this vulnerability by updating to version 2.15.0 or later.

Security researchers recently disclosed the vulnerability CVE-2021-44228 in Apache’s log4j, which is a common Java-based library used for logging purposes. Popular projects, such as Struts2, Kafka, and Solr make use of log4j. The vulnerability was announced on Twitter, with a link to a github commit which shows the issue being fixed. Proof-of-concept code was also released to github which shows that the vulnerability is trivial to exploit.

Financial institutions are a rich target for cybercriminals, who scoop up sensitive personal information that allows them to open fake accounts and fraudulent lines of credit. According to research from services firm Accenture and the Ponemon Institute, the average annualized cost of cybercrime to financial institutions exceeds $18 million.