High-level executive summary
"Log4Shell" is a recently-published zero-day vulnerability in Apache’s Log4j software library. Log4j is used in a variety of consumer and enterprise services, websites, and applications—as well as in operational technology products—to log security and performance information. A malicious threat actor could exploit this vulnerability to take control of an affected system.
- The vulnerability is a “new way in” for attackers and provides additional opportunity to leverage existing cyberthreats. Security best practices (e.g., timely patching, zero trust principle, network segmentation, asset management, network visibility) remain the most effective means to mitigate cybersecurity risk.
- Given the breadth of use of the Apache’s Log4j software library, the vulnerability represents a significant attack vector for organizations worldwide. Investigating the potential exposure poses a considerable challenge for organizations of all sizes. This is especially true for organizations dependent on third party vendors for this know-how.
- The vulnerability also presents a supply chain risk, as software vendors and service providers may themselves be victims of these attacks.
- The type of threat actors using this vulnerability will evolve over time. Currently, the vulnerability is being exploited by economically-driven opportunistic threat actors (cryptominers and botnets). We expect that more advanced threat actors, who value stealth and persistent access, will emerge the coming weeks e.g., deploying ransomware.
- Much remains unknown about this vulnerability, including potential threat scenarios, or how this exploit can be combined with other offensive techniques. Given the breadth of the vulnerability exposure, it is expected that the vulnerability will continue to be exploited for months to come.