Log4j is used in many forms of enterprise and open-source software, including cloud platforms, web applications and email services, meaning that there’s a wide range of software that could be at risk from attempts to exploit the vulnerability.

What we know

A member of Alibaba’s cloud security team discovered a dangerous vulnerability known as Log4Shell, which has affected the likes of iCloud, Steam and Minecraft–and poses a real threat to businesses more generally.

What is the vulnerability in log4j?

The vulnerability can be exploited by using a single line of code and allows attackers to execute remote commands on a victim’s system. It can be exploited by attackers to take control of any Java-based web server and carry out remote code execution (RCE) attacks.

Actions to take

1. Install the latest updates immediately wherever Log4j is known to be used

This should be the first priority for all organisations using software that is known to include Log4j.

2. Discover unknown instances of Log4j within your organisation

To support the first priority action above, you also should now determine if Log4j is installed elsewhere. Java applications can include all the dependent libraries within their installation.

3. If you are a developer of any affected software, the ACSC advises early communication with your customers to enable them to apply mitigations and install updates where they are available.

Assistance / Where can I go for help?

The ACSC is monitoring the situation and is able to provide assistance and advice as required. Organisations that have been impacted or require assistance can contact the ACSC via 1300 CYBER1.