Initially spotted on November 24, by Alibaba Cloud’s Security Team, the zero-day vulnerability CVE-2021-44228 was officially reported by the Apache Software Foundation on Thursday, December 9.
The vulnerability concerns the Log4J logging utility, an important software component that is very widespread in a great number of applications that use the Java language.
As a cybersecurity software editor, TheGreenBow took immediate action to assess the impact of the recently discovered security breach on its products.
No impact on TheGreenBow products
Following the impact audit conducted on its products regarding vulnerability CVE-2021-44228 (“Log4Shell”), TheGreenBow is now able to confirm that none of its products use the Log4j library. Therefore, we can safely say that this vulnerability does not apply to any of our products (VPN Clients and License Activation Server).
What does this breach entail?
The security breach, named “Log4Shell”, is currently of great concern to CISOs, since it may be present in a great number of information systems hosting office automation software, servers, or embedded systems. Locating the issue and correcting it may therefore take quite some time.
Attackers who exploit this vulnerability can execute arbitrary code on a server that uses the Log4j library. In worst case scenarios, an attacker may be able to take complete control of the server without needing to authenticate in view of gaining access to the network, stealing sensitive information, or even launching a denial-of-service attack.
In its press release dated December 16, the French National Cybersecurity Agency (ANSSI) confirms that the Log4Shell vulnerability is being actively exploited. A race against the clock has thus begun to stay ahead of cybercriminals.
To find out more about Log4Shell
- Apache Security Bulletin dated December 9, 2021: here
- ANSSI’s official statement: ANSSI’s official press release
- For those who want to stay up to date, we recommend following the CERT-FR security bulletin here, as it is updated on a regular basis.
- The following GitHub lists can help you keep track of affected software and services: