Flaws Discovered in Original Update to Fix Log4j Vulnerability; Users Must Update to Newest Version of Apache Log4j 2.16.0
On December 10th, a critical vulnerability was publicly disclosed in the Apache Log4j Java-based logging package, which is commonly used by organizations across the world. When first disclosed late last week, Apache had already released an updated version of Log4j version 2.15.0 to remedy the security flaw, which we covered in our initial alert on December 11th.
However, since then, it has been determined that this fix doesn not fully address the vulnerability and has been further updated to version 2.16.0. Apache is urging all users to take immediate action to update their systems to the latest version.
The Log4Shell vulnerability is serious and requires immediate action. The sheer ubiquity of companies that use the Java logging package adds to the urgency given the significant potential for abuse by malicious actors. ACA Aponix® recommends to:
- Work with your IT team or MSP to urgently review and patch your systems to the latest Log4j version 2.16.0.
- Engage with third-party vendors to ensure they patch their systems to the latest version
- Reach out to ACA Aponix or other trusted third-party advisors for assistance with reviewing patching procedures as needed.
How we help
ACA Aponix offers the following solutions that can help your firm protect itself in relation to this and similar cybersecurity warnings, and to enhance your firm's cybersecurity in general:
- Threat intelligence, phishing testing and monitoring
- Operational resilience and governance
- Risk assessments and regulatory compliance testing services
For more information, about this vulnerability, read our extensive article, Log4Shell Vulnerability: What We Know and Action Steps to Take.