Last updated on 10. January 2022
Currently, the zero-day vulnerability in Apache’s Log4j module is keeping the world on tenterhooks. Log4j is a Java framework for logging application messages. This program routine has established itself as the standard method for logging for many software vendors. Specifically, Log4j is used to generate log data of an application.
The Federal Office for Information Security in Germany (BSI) warns in its press release of 11.12.2021 with the alert level “red” of the security vulnerability with the designation CVE-2021-44228 and advises extreme measures. “Although there is a security update for the affected Java library Log4j, all products that use Log4j must also be adapted,” writes the BSI in its press release.
Because the Log4j Java library is also used by a large number of well-known companies, the vulnerability is so dangerous. Large-scale scans for the vulnerability as well as attempted and already successful attacks have become known publicly. Hackers can exploit the vulnerability to execute arbitrary code or manipulate systems now with backdoors in such a way as to attack them after a certain time. Accordingly, the full extent of the damage caused by this vulnerability is not yet foreseeable.
A constantly updated and extensive list has been published via github.com, which collects the update status from numerous manufacturers: https://github.com/NCSC-NL/log4shell/tree/main/software
“We have been following the recent coverage of the critical vulnerability in Apache Log4j and I can share that our oneclick™ platform systems are not affected by the vulnerability. Thus, our customers continue to be protected and there is no need for action with regard to the oneclick™ platform. Nevertheless, we recommend our customers to check their other used systems with regard to this vulnerability,” says Dominik Birgelen, CEO of oneclick AG.
Here, you can learn more about the security of the oneclick™ platform.