Log4j response: Visibility is key

Feb. 14, 2022
Open-source logging vulnerability renews software supply chain concerns

Following on the December 2020 revelation of the Solar Winds software supply chain hack by Russian operatives, 2021 was not to be outdone, with December 2021 marking the discovery of Java developers' ā€œown goalā€ on the global IT/OT infrastructure.

About a decade ago, contributors to release 2 of the Apache Foundation’s open source Log4j software thought it would be a neat idea for the message/event logging software to be able to send a log that would also execute code, explains Eric Byres, CTO at aDolus (www.aDolus.com).

ā€œEffectively, the Log4Shell vulnerability in the Log4j library provides a way to bundle a command into a message that looks like an event log, send it to your potential victim’s log collector, then initiate a takeover,ā€ Byres explains. The Log4j vulnerability is of particular concern because its use is extremely widespread, the exploit is trivial, plus it’s used in very high level, mission-critical servers. ā€œIt’s Solar Winds without the Russians,ā€ Byres adds.

Read more on ControlGlobal.com.

Sponsored Recommendations

Unlock the Future of Industrial Innovation with AI
Discover the reliable power supplies designed for industrial applications. Dive into IDEC's PS5R-V Compact Series catalog and unlock enhanced performance for your critical operations...
Industrial enclosures, PCs and operator interfaces are critical components in machinery. These devices have changed as they’ve evolved, along with the way manufacturing ...
Watch the video to find out how simulation for automation lets you validate and optimize production machines so you can build better battery machines faster.