On December 9, 2021, the Apache Software Foundation disclosed that its Log4j framework contains a critical vulnerability that allows for unauthenticated remote code execution (RCE), commonly known as Log4Shell or LogJam. This is a serious issue impacting a significant number of applications, as the framework is commonly used by most Java installations.
Invicti’s engineering teams have developed checks for Log4Shell in web applications and continue to evolve our products in real-time as new risks are introduced. These checks are now available for customers in all Invicti products.
“The vulnerabilities related to Log4j pose a serious risk to all organizations,” says Invicti Chief Product Officer Sonali Shah. “Amidst a lot of uncertainty, one thing is clear: we will only continue to see more of this at an even greater scale in the years to come. That’s why a truly continuous security program is absolutely essential, so that organizations are prepared to respond quickly when a new issue comes to light.”
For more information, please read our Log4Shell FAQ page.
More About Log4j
The Log4j vulnerability – CVE-2021-44228 – is also known as Log4Shell or LogJam.
The Log4Shell vulnerability may affect all Log4j 2 versions < 2.17.0 as well as many Log4j 1 versions.
Invicti strongly recommends using the latest version of Log4j (at the time of writing: 2.17.1) and frequently checking Apache’s page dedicated to this topic over the next few weeks.