Survey

Below is the Survey about the Apache Log4j vulnerability. Please answer Yes/No to the following questions:

Frequently Asked Questions (FAQ)

What is all of this about, and what is Log4j?

Apache log4j is a Java logging framework commonly used across applications to facilitate logging. This package is commonly included as a dependency of core Java frameworks or libraries and may be included in your Java-based applications either directly or indirectly. See https://logging.apache.org/log4j/2.x/ for more information on this is, or more general information on https://www.techrepublic.com/article/how-to-protect-yourself-from-the-log4j-security-vulnerability/.

How worried should I be about this?

The CVEs (Common Vulnerabilities and Exposures) identified as part of the Apache Log4j framework have been rated as critical vulnerabilities, and as such should be taken very seriously. Any Java-based application should be immediately checked for its usage of any version of Apache Log4j and, if found, mitigated immediately. There have been several subsequent issues identified after the original vulnerability was reported, and an application that was patched early on may still be vulnerable. As of writing this, only the latest version 2.17.0 adequately mitigates the identified vulnerabilities.
This vulnerability creates the risk of information leaks, RCE (remote code execution), and LCE (local code execution) attacks, and for these reasons, it should be treated with importance.

How do I know if I’m affected?

Any Java-based application could be vulnerable to the CVEs identified. Even if the library is used directly, it could be included in your application through a library you rely on. It’s important to determine if your application or any systems within your environment depends on Apache log4j 2.0+ either directly or indirectly, as the existence of any of these libraries would indicate deeper analysis is required. Details on the specific versions of Apache Log4j that are vulnerable, with additional information, are available at https://logging.apache.org/log4j/2.x/security.html

For more information on these vulnerabilities, see:
https://cyber.gc.ca/en/alerts/active-exploitation-apache-log4j-vulnerability
https://nvd.nist.gov/vuln/detail/CVE-2021-45105
https://nvd.nist.gov/vuln/detail/CVE-2021-45046
https://nvd.nist.gov/vuln/detail/CVE-2021-44228

What if I know we are using Log4j in applications developed in-house?

We recommend that you get advice immediately and take remedial action, including updating to the latest version of Log4j (currently Log4j 2.17.0).

What if I know Log4j is present in applications supplied by a third party?

Again, we recommend that you get advice immediately and take remedial action, including keeping any such products updated to the latest version. More products may release patches over the next few days and weeks, and so organizations should make sure they’re checking for updates regularly.

What if I don’t know if anything we use is using Log4j?

Ask your in-house developers and/or third-party suppliers. Developers of affected software should communicate promptly with their customers to enable them to apply available mitigations or install updates. In turn, you should act promptly on any such communications from developers.
Source: https://www.ncsc.gov.uk/information/log4j-vulnerability-what-everyone-needs-to-know

Is there an easy way to scan my systems for these vulnerabilities?

There are numerous tools available online to help you scan your systems, however, it is important to be prudent when running any third-party scanning tools or software on your systems, and only do so if you entirely trust the source; it’s important to practice heightened awareness during these kinds of incidents, as attackers can use this as an opportunity to trick users into running malicious tools on their systems unknowingly.