Criminals are actively leveraging a new zero-day exploit, known as Log4Shell, to break into systems at organizations of all sizes, as well as cloud providers. This new vulnerability named has emerged allowing adversaries to execute code on any server running the Java logging library Apache Log4j. This vulnerability impacts websites, applications, software, and services including Microsoft, Apple, Google, AWS, and more. Due to the wide range of applications that may be exploited and the large number of potential delivery mechanisms, Log4Shell is a high severity threat.
This vulnerability (tracked as CVE-2021-44228) affects the Apache Log4j 2 Java-based logging library, which is widely used in on-premises software, cloud services, and web applications. Due to the wide range of affected applications and the ease of exploitation, this has been dubbed “the worst computer vulnerability discovered in years.”
The League is recommending that all credit unions immediately patch, then check and determine whether you have been impacted by this vulnerability. Next credit unions should contact their line of business software vendors and any applications you use have tested and remediated the Log4j vulnerability. You can do this by checking their website/blog for an update on Log4j. If nothing is found and you have not received an email from the vendor with an update, then call their support line or send an email for an update.
To learn more about this vulnerability go to the SentinelOne Blog.