Vulnerability Alert: To Date, Log4j May Be the Most Prevalent Vulnerability in History

By David Gewirtz

As of the time of this writing, a cybersecurity flaw known as Log4j is among the worst security flaws in history, enabling hundreds of millions of devices to be vulnerable to hackers.

There is a delay between writing this column and you reading it, so I do have the somewhat limited hope that by the time you read this piece, some of the most exposed systems will be patched. But because of the prevalence of this flaw, the difficulty in patching it, and the natural inertia involved in fixing anything on a widespread basis, I suspect most of you will still be at risk when you read this.

Log4j is a Java library (a package of programming instructions programmers use) that logs error messages onto a computer or server. It’s distributed by the open source Apache Software Foundation and opens up any device connected to the Internet running Log4j 2.0 to 2.14.1.

The flaw effectively allows anyone to insert text into a file on a computer. That text is unfiltered and can contain program code that can open the machine up to malware, persistent attacks, and even total external control. It’s very, very bad.

United States Cybersecurity and Infrastructure Security Agency (CISA) Director Jen Easterly released a statement on the Log4j vulnerability. We’re reprinting it in full because it’s important you get the message about how critical this vulnerability is:

“CISA is working closely with our public and private sector partners to proactively address a critica...