Log4j is a java-based tool from Apache’s open source library used for parsing logs that never seems to have made headlines before this past weekend. Now, following the December 9th public announcement of a vulnerability in this tool, public and private sector security partners are issuing warnings about this “critical vulnerability.” While the full scope and exploitability of this vulnerability remains to be seen, the Cybersecurity and Infrastructure Agency (“CISA”) has issued a statement that they are taking “urgent action.” Noting this vulnerability “poses a severe risk,” CISA “is proactively reaching out to entities whose networks may be vulnerable,” and is leveraging it scanning and intrusion detection tools “to help government and industry partners identify exposure to or exploitation of the vulnerability.” While CISA has issued basic guidance (including to patch any known externally-facing uses of Log4j), we can expect more intelligence and mediation recommendations in the coming days and weeks.
About Kim Peretti
A former DOJ cybercrime prosecutor and former director of PwC's cyber forensics group, Kim delivers top of the line cyber risk management and information security counsel to her clients. As co-leader of our Privacy, Cyber & Data Strategy Team, Kim is recognized by select publications and is frequently quoted by the media.