December 16, 2021

What is CVE-2021-44228 or Who the hell is Log4J ?

On December 10, 2021, details emerged about a critical remote code execution vulnerability in Apache Log4j, assigned as CVE-2021-44228, in which remote users who can cause specifically crafted strings to be processed by an application’s Log4j logging layer. It takes advantage of Log4j not checking against LDAP and JNDI (Java Naming and Directory Interface) requests and may be able to execute code, and thereby take control of the server or local machine hosting the affected application.

The official security advisory from Apache can be found here:

But it is important to understand just how severe this is. As our CTO mentioned on the day it was announced, Heartbleed ( which was an OpenSSL vulnerability affecting a large proportion of Web traffic, was categorised as a 7.5.

Log4J is categorised as a 10. A perfect 10.

The fact that this can affect everything from Minecraft (popular MMO game) to Microsoft & Amazon to Apple gives you a sense of the scale of the potential impact. The CISA, (Cybersecurity and Infrastructure Security Agency, a Department of Homeland Security) says that Log4J will affect hundreds of millions of devices and that “no single action will fix the issue”

Basically, if you or your software/service create a log for anything you should check your status. It potentially effects everyone, and I mean everyone!!

At Device Authority we acted swiftly to remediate the impact of Log4J and have published the following article:

If you have any questions or doubts about KeyScaler and Log4J then reach out today so that we can understand your concerns.

Act now, stay safe!!

Paul Lockley