Status: Log4shell (CVE-2021-44228)

Following the recent log4shell (CVE-2021-44228) vulnerability, Trifork Security would like to provide you with our recap of the state of affairs. This will keep you up to date, helping you ensure, that you have done what is urgently needed and if relevant, recognise needed adjustments before the attackers help you do that the expensive way.

Going one step further, we would like to offer you this comprehensive guide to mitigating the vulnerability.

Simply download the PDF file below, to get the guide - and all the Log4shell information you need.

image

The vulnerability in short

As most people hopefully already know, at the end of last week details relating to a highly critical vulnerability in the log4j Java component were released. The vulnerability scores 10/10 (CVSS v3), the highest possible among other things because of its ease of exploitation.

It allows access to execution of code and it can be used across networks. In addition, the procedures for exploitation are well defined and probably the most important thing - Java and the vulnerable component (log4j) is widely used and often with Internet-facing applications where it is easy for everyone on the Internet to attack. In short, this is the most critical vulnerability in recent years since Heartbleed and Shellshock in 2014.

More details can be found here: 

Here are our recommendations:

We highly encourage you to follow them in order to secure your systems against exploitation of log4shell. As can be seen, several of the recommendations are complementary. This is done intentionally. The issue is expected to evolve and a security measure that we today believe to be sufficient may prove to have unforeseen limitations. In that case it is convenient to have used the well-known principle of Layered Security.

You can download our Log4j mitigation manual by clicking the link below:

Log4j mitigation guide

image
image

Status: Log4shell (CVE-2021-44228)

Got questions? Let’s talk

As most people hopefully already know, at the end of last week details relating to a highly critical vulnerability in the log4j Java component were released. The vulnerability scores 10/10 (CVSS v3), the highest possible among other things because of its ease of exploitation.

It allows access to execution of code and it can be used across networks. In addition, the procedures for exploitation are well defined and probably the most important thing - Java and the vulnerable component (log4j) is widely used and often with Internet-facing applications where it is easy for everyone on the Internet to attack. In short, this is the most critical vulnerability in recent years since Heartbleed and Shellshock in 2014.

More details can be found here: 

Here are our recommendations:

We highly encourage you to follow them in order to secure your systems against exploitation of log4shell. As can be seen, several of the recommendations are complementary. This is done intentionally. The issue is expected to evolve and a security measure that we today believe to be sufficient may prove to have unforeseen limitations. In that case it is convenient to have used the well-known principle of Layered Security.

You can download our Log4j mitigation manual by clicking the link below:

Log4j mitigation guide