CW+ Premium Content/Computer Weekly

Thank you for joining!
Access your Pro+ Content below.
21 December 2021

What is Log4Shell, and why are we panicking about it?

The so-called Log4Shell vulnerability in the Apache Log4j2 Java-based logging library has been described variously as “probably the most critical vulnerability we have seen this year” by Qualys’s Bharat Jogi, “a design failure of catastrophic proportions” by F-Secure’s Erka Koivunen and “a flashbulb memory in the timeline of significant vulnerabilities” by Sonatype’s Brian Fox. In fact, as the implications of this newly disclosed vulnerability begin to become clear, you’d be hard pressed to find a security expert who wasn’t extremely worried by it. And to follow on social media over the weekend of 11 and 12 December 2021, as the security community wrestled with the implications of Log4Shell, you could be forgiven for thinking that the sky had fallen in already. So what do defenders need to know? Unfortunately, in this instance melodrama is something of an understatement; the community’s reaction is to some extent entirely justified. The zero-day, which is tracked as CVE-2021-44228, was made public at the end of last week, ...

Features in this issue

CIO
Security
Networking
Data Center
Data Management
Close