Java Log4j Vulnerability
This post is simply a heads up about a significant vulnerability that has occurred in the last few days about a common language used to develop more complicated websites, Java. The threat is significant and should be patched immediately if using the Log4j library or any other libraries that use it as a dependency.
Java is an extremely popular language used to build complicated websites. However, recently a library in java called log4j has now been demonstrated to be susceptible to a vulnerability. Worse yet, is that it is actively being attack from what I understand. If your website depends on Java, you should immediately talk with your IT support group to make sure they understand this vulnerability and to be sure they are working to resolve it if necessary. This is a high severity level vulnerability meaning it meaning that it can execute remote code, thus allowing control over the website that is being attacked.
If you have susceptible code, it is recommended that you act as if your website has already been compromised and being testing and evaluating your website for a full security breach. While the chance might be remote for this to have actually already occurred, the severity of the issue certainly means it is a possibility for your website.
While these attacks are generally unavoidable, it’s important to have your IT staff be in constantly informed of security vulnerabilities. They should already be continuously providing security patches to your website in order to keep you and your customers secure. This hack, from as far as I understand, would allow the hacker to access code that could potentially allow access to your databases. If you are storing customer information, this could lead to a significant data breach depending on the level of data you are maintaining with your customers.
This post is not to frighten or provoke anxiety, but this is the reality of having a website online with a common language, framework, or library. Security vulnerabilities probably exist in each of those, but have yet to be discovered. The good news is researchers are constantly evaluating these and contacting the developers, generally, before posting about the vulnerability. This allows the developers to release security patches, so that you can fix your website before a malicious actor attempts to compromise your website.