Log4j, a Java library for logging error messages in applications, has been in the news. The vulnerability is known as Log4Shell was first identified in Microsoft’s Minecraft, with exploits cropping up on December 1st, but Log4j is ubiquitous.

It’s considered by many the biggest threat to the internet in a decade. Hackers can easily take control of servers that run networks and repurpose them to their own needs. Expect data to be stolen, from medical records to bank details, as well as an explosion of ransomware attacks.

There is a battle going with cybersecurity teams patching and implementing protective measures while new variations of the original exploit are being introduced at a rapid rate – over 60 in 24 hours at one point.

The range of software being exploited is wide and deep, including Amazon, Netflix, Apple iCloud, Android OS, Google Docs, and yes, LinkedIn. Log4j users should immediately look to upgrade to Log4j-2.15.0-rc2. Programmers have flooded Twitter and other forums with unofficial patches.

What can non-programmers do to protect their data? Not much. The good news for small businesses is that it appears that big hosting companies like Bluehost, Hostgator, and GoDaddy are not affected by the vulnerability. For all of you using WordPress, it isn’t written in Java and doesn’t use log4j. However, if you’re using a Java app in a custom application that works with WordPress or in your hosting stack you should reach out to your developer.

There are 4 plugins and 15 themes that I’ve seen that are vulnerable and should be patched or uninstalled. If you’re concerned you may be at risk, DM us and we’ll provide you the list. If you’re interested in a deep dive on how it works and how to fix it, here is a great explanation from Sophos.

A side note: It seems that the Apache Log4j project is maintained by three unpaid volunteers, and I became aware of it while “doom scrolling” on Twitter at 1 am Friday night.

A friend that works as a manager at a large retailer I won’t name told me their payroll and HR system, Kronos, was hit with ransomware this week. Companies depending on Kronos may be unavailable for some weeks. 

Fun fact: The Apache Log4j project is maintained by three volunteers.

#Log4j #Log4shell #Wordpress #Kronos # #cybersecurity #java