Security

Critical Vulnerability in Log4j

Critical vulnerability log4j devolutions blog

December 13, 2021

Hi there, I'm Sebastien. In my role as Application Security Specialist, I focus on ways that we can integrate and strengthen security across all of our products. To achieve this critical objective, I work closely with our various software development teams and provide ongoing training, tools, and guidance. I believe that security must be a shared priority and commitment across the organization, and I am proud to work for a company that never loses sight of this fundamental principle.

View more posts

Last Friday a critical vulnerability was discovered in the Apache log4j project (CVE-2021-44228). For software using the library, simply logging a string of a specific format can lead to remote code execution. Log4j 2.15 fixes this issue, we advise our users to update their affected products as soon as possible.

We conducted an in-depth review and can confirm that products and services provided by Devolutions are not affected by this vulnerability.

Details and Mitigation

LunaSec published a great explanation of how this vulnerability can be exploited if you are interested in the details. The gist of it is that simply by logging a string in a specific format, a vulnerable application can be made to download and execute arbitrary code from a remote LDAP server. Because log4j is the de facto logging library for Java applications, a very large number of systems and services are affected.

Projects using log4j should update to version 2.15 as soon as possible. The log4j project also provides other mitigation steps.

We also advise our users to update their systems that are affected by this vulnerability. The Nationaal Cyber Security Centrum published a list with the vulnerability status for products of major vendors.

https://github.com/NCSC-NL/log4shell/tree/main/software

Table of Contents

Details and Mitigation

Security

20 Shocking Cybercrime Statistics: 2024 Edition

Cybercrime is intensifying, with soaring costs, increased SMB threats, remote work risks, and a surge in phishing and ransomware, highlighting the urgent need for stronger cybersecurity measures.

Laurence Cadieux

July 4, 2024

Security

Devolutions Achieves SOC2 Type-II Report Renewal for 2023

Devolutions has renewed its SOC2 Type-II report for the third consecutive year. This achievement underscores our commitment to top-tier security and compliance standards.

Vincent Lambert

June 6, 2024

Security

Gartner lists top 9 cybersecurity trends for 2024

In this article, Devolutions shares Gartner’s nine key trends for 2024 that security and risk management leaders should focus on to enhance organizational resilience and cybersecurity performance.

Laurence Cadieux

April 18, 2024

Critical Vulnerability in Log4j

Details and Mitigation

20 Shocking Cybercrime Statistics: 2024 Edition

Devolutions Achieves SOC2 Type-II Report Renewal for 2023

Gartner lists top 9 cybersecurity trends for 2024

Read more Security posts