Log4j response: Visibility is key

Feb. 14, 2022
Open-source logging vulnerability renews software supply chain concerns

Following on the December 2020 revelation of the Solar Winds software supply chain hack by Russian operatives, 2021 was not to be outdone, with December 2021 marking the discovery of Java developers' “own goal” on the global IT/OT infrastructure.

About a decade ago, contributors to release 2 of the Apache Foundation’s open source Log4j software thought it would be a neat idea for the message/event logging software to be able to send a log that would also execute code, explains Eric Byres, CTO at aDolus (www.aDolus.com).

“Effectively, the Log4Shell vulnerability in the Log4j library provides a way to bundle a command into a message that looks like an event log, send it to your potential victim’s log collector, then initiate a takeover,” Byres explains. The Log4j vulnerability is of particular concern because its use is extremely widespread, the exploit is trivial, plus it’s used in very high level, mission-critical servers. “It’s Solar Winds without the Russians,” Byres adds.

Read more on ControlGlobal.com.

Sponsored Recommendations

The Value of Dual Rated AC/DC Disconnect Switches

Why is it necessary for me to have a disconnect switch installed in my application?

Ultra-fast, ultra-accurate linear indexing

NSK integrates advanced automation and drive technologies to deliver high capacity, high speed, ultra-precise indexing and positioning in a compact, flexible linear actuator: ...

2024 Moxa Product Solutions Brochure

Explore how Moxa's products provide one-stop solutions for your industrial automation success. Learn how our products and solutions provide the reliability, security, ruggedness...

Boost Your Industrial Automation With Our Adaptable and Reliable Computers

Discover our brochure featuring 75 optimized x86 industrial computers for your needs. This 8-page guide offers insights on choosing the best models and achieving automation success...