Advisory Type: IT Security
Summary: PDS is providing the following communication to build awareness of active exploits involving Apache’s Log4j Java Logging Component.
On December 10, 2021, the Apache Software Foundation published CVE-2021-44228 and Apache Log4j Security Vulnerabilities documenting critical vulnerabilities present in the Log4j logging component of the Java libraries. The CVSS score of this vulnerability is 10.
The Log4j components are generally embedded by other software vendors who make use of the Apache Java logging library so exposure to this risk may not be immediately apparent.
The IT industry is widely reporting and reacting to this announcement. Several software vendors have already made announcements regarding their risk from this situation.
Almost immediately after the announcement security researchers detected malicious traffic and threat actors working to exploit this vulnerability.
The Apache Software Foundation is issued an updated code library in which the condition which allows the vulnerability is turned off by default. Additionally, there are detection scripts available to help identify vulnerable systems. Lastly, the vulnerable condition can be mitigated by removing one of the Log4j component libraries.
We advise customers to review the status of CVE-2021-44228 with respect to all vendor products which are externalized or otherwise available from the Internet.