Log4j component vulnerability actively exploited – install updates immediately!

Alert5/2021

The vulnerable Log4j component is widely used in online services, and new exploits are constantly discovered. Administrators must take immediate action to respond to the issue.

Over the weekend, more information has become available on the extent of the vulnerability. Log4j is extremely widely used in popular applications. Attempts to exploit the vulnerability have soared, and new vulnerable services are constantly discovered. A list of vulnerable applications is maintained in the Github service, a code hosting platform. To our knowledge, attackers are actively trying to exploit the vulnerability also in Finnish organisations.

Updates take time. Application developers are releasing updates for their products, but their implementation takes time. It may be challenging to locate the vulnerable component, and updates must be tested before deployment.

Based on information from public sources, the vulnerability has affected a major part of services on the internet. We will update our vulnerability report (external link) as new information about vulnerable applications becomes available. We have also added to the report instructions on how to detect and test the vulnerability and mitigate its impact.

We highly recommend updating your Apache Log4j to the version log4j-2.16.0 published on 14 December 2021 as soon as possible. The updates must be installed by system administrators. Individual users cannot fix the vulnerability.

Target group of the alert

We recommend that organisations investigate whether their services use Log4j components.

Possible solutions and restrictive measures

The critical vulnerability in the Apache Log4j component is being actively exploited. Apache published on 9 December 2021 an update for the vulnerable component with the version number log4j-2.15.0 (more detailed version number of the patch is log4j-2.15.0-rc2). Administrators should install the update immediately.

According to NCSC-FI’s current information, the Log4shell vulnerability does not concern Log4j versions 1.X.

More Information

Update history

The alert is no longer valid (9 Feb 2022).