Log4Shell – EU organizations issue assessment and advice on the Log4j vulnerability
- Published: Thursday, 16 December 2021 10:03
The European Commission, the EU Agency for Cybersecurity, CERT-EU, and the network of the EU national computer security incident response teams (CSIRTs network) have issued a joint statement on the Log4Shell vulnerability.
Key points in the statement are:
- Log4Shell is a vulnerability in the well-known open source Java logging package Log4j, which is maintained by the Apache Software Foundation.
- Log4j is used in a wide array of applications and web services across the globe.
- Due to the nature of the vulnerability, its ubiquity and the complexity of patching in some of the impacted environments, it is important that all organizations assess their potential exposure as soon as possible.
Alongside the joint statement CERT-EU has published a detailed document to help organizations respond to and mitigate the vulnerability.
CERT-EU states that:
- This vulnerability could allow the attacker full control of an affected server, if a user-controlled string is logged.
- Since it is easy to be exploited, the impact of this vulnerability is quite severe. Reports show that it is being actively exploited in the wild.