If you stay up to date with technology news, you’re likely aware of a critical vulnerability reported in Log4j, a highly popular logging tool used by a large part of the industry. This vulnerability allows attackers to execute malicious code on any affected systems.
We’ve been actively monitoring the situation and want to reassure our customers that at present our own infrastructure is okay and anyone with Fasthosts shared web hosting packages, email packages and cloud packages don’t need to do anything.
Those with a Dedicated Server or VPS have full control of their servers and we’d advise them to check their systems for anything they have installed that may make it vulnerable.
If you’re not fully caught up on the situation, here’s a little overview of what’s going on, what it means and what you can do if you’re worried about your server.
What is the Log4j vulnerability?
Reported by Apache late last week, the vulnerability relates to their Log4j software, a widely used logging package for Java. The flaw, tracked as CVE-2021-44228 and referred to as Log4Shell, allows attackers to remotely execute code on a target server and if successful, potentially take control of the system.
One of the first attacks reported involved the popular computer game Minecraft. One of the game’s servers was successfully attacked but Microsoft, the game’s owner, quickly patched the problem. Other popular services like Steam and iCloud have also already been found to be vulnerable.
Who’s affected by the Log4j vulnerability?
Due to the popularity of Log4j, the discovered flaw is affecting millions of servers worldwide. To be more specific, any system that uses Log4j version 2.0 to 2.15 is potentially vulnerable.
Although it’s a logging tool used with Java, you don’t have to have installed Java specifically to be at risk. Log4j and Java are often bundled into common software packages such as Logstash, Elasticsearch and Storm (via Docker). So anyone who has installed a software package that includes Log4j may also be vulnerable.
What can you do to protect your servers from Log4Shell?
Thankfully fixes are already being put in place to patch this bug, so you should update your software as soon as you can. Apache have already released ver 2.16 and published a security outline that includes mitigation suggestions, such as:
- Upgrading Java 8 to release 2.16.0.
- Java 7 should be upgraded to release 2.12.2 when available (expected soon, currently a work in progress)
- Otherwise, remove the JndiLookup class from the classpath: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
What does this mean for our servers?
As mentioned above, at present our infrastructure is okay and our shared hosting, email hosting and cloud customers don’t need to do anything. We have very few systems using this software and any that do have either been patched or were not vulnerable to start with.
If you have a Dedicated Server or VPS we strongly recommend that you check your systems for the Log4j vulnerability. As you have full control over your servers, we can’t check this for you. We suggest that you do this as soon as you can to minimise the risk of your systems being compromised. You can follow the steps above, such as checking for Log4j installations, including any bundled software that you have installed, and updating Log4j to release 2.16, Java 8 to release 2.16 and Java 7 to release 2.12.2 when you can.
If you have any questions about your servers or how to check your systems, our expert server support team is here to help. You can also check your support site for advice on how to edit settings within your Dedicated Servers and VPS.