In Simple Terms...
Log4j is an open source logging framework from the Apache Foundation. Its primary purpose is to facilitate application logging for web applications. What makes it dangerous is the ability to execute arbitrary commands on the server, simply by submitting a particular string to a field that the application then stores in the log file(s). For example, renaming your iPhone to the exploit string can trigger the vulnerability on Apple's iCloud servers. Hopefully this is fixed by now.
Coupled with an extensive amount of adoption from large and small companies alike, this simple exploit is being abused in the wild by malicious actors. Problems range from:
- Data disclosure
- Remote Code Execution (RCE)
- Server takeover
- Denial of Service (DoS)
Be aware that many breaches are likely to stem from this and will trickle out over the coming weeks and months. The attack surface is extremely large and thus the total damage is difficult to estimate at this time. We'll keep our post updated as new information becomes available. If you have specific concerns, please use the contact form (top right corner of this page) to reach out to us.
Send Us Your Comments
What did you think of this article? Send us a note to let us know what you liked, would like to see more of, or what we can do better. And don't be surprised if we reach back out with a small 'thank you' gift for your feedback.