Log4j component vulnerability actively exploited – install updates immediately!

Over the weekend, more information has become available on the extent of the vulnerability. Log4j is extremely widely used in popular applications. Attempts to exploit the vulnerability have soared, and new vulnerable services are constantly discovered. A list of vulnerable applications is maintained in the Github service, a code hosting platform. To our knowledge, attackers are actively trying to exploit the vulnerability also in Finnish organisations.

Updates take time. Application developers are releasing updates for their products, but their implementation takes time. It may be challenging to locate the vulnerable component, and updates must be tested before deployment.

Based on information from public sources, the vulnerability has affected a major part of services on the internet. We will update our vulnerability report (external link) as new information about vulnerable applications becomes available. We have also added to the report instructions on how to detect and test the vulnerability and mitigate its impact.

We highly recommend updating your Apache Log4j to the version log4j-2.16.0 published on 14 December 2021 as soon as possible. The updates must be installed by system administrators. Individual users cannot fix the vulnerability.