What happened?
On December 9th, 2021, a zero-day exploit in the popular Java logging library “Log4J” (version 2) was discovered and widely publicized. The vulnerability can be used to execute code remotely, by tricking a system into logging a specific malicious string.More technical details of this vulnerability can be found at this third-party resource
Who is impacted?
An extensive list of responses from impacted organizations has been compiled here.
Anybody using Apache Struts is likely vulnerable. We've seen similar vulnerabilities exploited before in breaches like the 2017 Equifax data breach.
Many Open Source projects like the Minecraft server, Paper, have already begun patching their usage of log4j2.
What is required of app developers?
Version 2.15.0 of the log4j library has been released, without the vulnerability. This release can be downloaded from Apache's official Log4j page, or from your language's package manager (Maven Central for example). App developers must immediately update any apps and integrations that use the Log4J Java library. Failure to do so may result in merchant data being compromised, and will put your application in violationIf upgrading is not possible, using the suggested temporary mitigation will also decrease the impact of the vulnerability. Common software solutions that may need patching or reconfiguration include Apache Solr, Apache Lucene, ElasticSearch, and other Java/JVM-based supporting applications