Log4shell Vulnerability Leaves Software Community Scrambling

Just in time for the holidays is a new, major cybersecurity threat that has tech companies mobilizing to remediate a software vulnerability.

The Log4shell vulnerability was identified in Apache’s Log4J software library. The library enables developers to track changes in the applications they build. A software flaw was initially spotted on sites frequented by Minecraft video game enthusiasts and was reported to Apache, according to several sources.

This vulnerability is a gateway for hackers to control java-based web servers and unleash remote code execution (RCE) attacks and take control of affected systems. Given the software is fairly universal in internet applications from Amazon Web Services to the Apple iCloud and countless others, the threat has caused global tech companies to issue advisories and guidelines for dealing with the vulnerability.

Microsoft warned that hackers can (among other things) install crypto coin miners, credential theft and data exfiltration. While there have been no early reports of Log4j major hacks, NBC News—quoting an expert from cybersecurity specialist Mandiant—reported that state-sponsored hackers in China and Iran have begun taking advantage of the flaw.

ABC News reported that Amazon Web Services and IBM are in the process of issuing patches in their software to help address the vulnerability.

Industry Guidance

Companies that serve the office technology dealer space have been quick to get in front of the issue. On Monday, ECI Software Solutions sent out an advisory to its channel partners, encouraging their internal teams to examine the possible impact to any vendor software used.

ECI noted that its security, cloud operations and product development teams worked diligently to assess and mitigate its use of Log4j. “We have found very few instances of our direct use of Log4j and have remediated these vulnerable versions within our cloud offerings,” the company wrote. “We continue to monitor the situation and will keep you apprised of any important updates.”

The software vendor noted that users do not need to take action at this time. “In most cases, our customers’ use of ECI software products is unlikely to be materially affected by this vulnerability. For ECI customers using our cloud offering, our security team has already identified and applied fixes.”

On its website, KnowBe4 confirmed that none of its products have been impacted by the vulnerability and that no actions are required of its customers.

“In addition to investigating our products, we have and will continue to investigate third-party software and applications used by KnowBe4 to determine if any are affected,” KnowBe4’s Stu Sjowerman wrote. “For any third-party software or applications KnowBe4 uses where a recommended mitigation was determined to be needed, we have implemented those recommended mitigations. We have also inspected audit trail logs for these systems and can confirm at this time there are no systems or data that have been affected.”

He added that KnowBe4 will continue to actively monitor its environment and its third-party advisories for new developments.

MPS Monitor noted it has been actively reviewing its infrastructure to assess its exposure to the vulnerability and assured customers there is no risk to users of its print fleet management platform.

Sepialine reported that neither the server-side nor client-side components of the Printerpoint fleet management software use Java or Log4J, and are not affected by the vulnerability.

Erik Cagle
About the Author
Erik Cagle is the editorial director of ENX Magazine. He is an author, writer and editor who spent 18 years covering the commercial printing industry.