The BSI, Federal Office for Information Security, calls out the warning level red because of the Java library Log4j and its vulnerability Log4Shell. The problem creates an extremely critical threat level.
According to the Federal Office for Information Security (BSI), the critical vulnerability (Log4Shell) in the widespread Java library Log4j leads to an extremely critical threat situation. The BSI has therefore upgraded its existing cyber security warning to warning level red. The reason for this assessment is the very widespread use of the affected product and the associated effects on countless other products. The vulnerability can also be exploited in a trivial way; a proof-of-concept is publicly available. Successful exploitation of the vulnerability enables complete takeover of the affected system. The BSI is aware of global and Germany-wide mass scans as well as attempted compromises. The first successful compromises are also reported publicly.
Log4j: The vulnerability can be exploited in a trivial way
According to the BSI's assessment, the full extent of the threat situation cannot currently be conclusively determined. There is a security update for the affected Java library Log4j, but all products that use Log4j must also be adapted. A Java library is a software module that is used to implement a specific functionality in other products. It is therefore often deeply anchored in the architecture of software products. Which products are vulnerable and for which there are already updates is currently not completely clear and must therefore be checked on a case-by-case basis. It is to be expected that further products will be recognized as vulnerable in the next few days.
Defense measures recommended for implementation
The BSI particularly recommends companies and organizations to implement the countermeasures outlined in the cyber security warning. In addition, the detection and reaction capabilities should be increased in the short term in order to be able to monitor one's own systems appropriately. As soon as updates are available for individual products, these should be installed. In addition, all systems that were vulnerable should be examined for compromise.
More at BSI.bund.de
About the Federal Office for Information Security (BSI) The Federal Office for Information Security (BSI) is the federal cyber security authority and the creator of secure digitization in Germany. The guiding principle: As the federal cyber security authority, the BSI designs information security in digitization through prevention, detection and reaction for the state, economy and society.