Access your Pro+ Content below.
What is Log4Shell, and why are we panicking about it?
This article is part of the Computer Weekly issue of 21 December 2021
The so-called Log4Shell vulnerability in the Apache Log4j2 Java-based logging library has been described variously as “probably the most critical vulnerability we have seen this year” by Qualys’s Bharat Jogi, “a design failure of catastrophic proportions” by F-Secure’s Erka Koivunen and “a flashbulb memory in the timeline of significant vulnerabilities” by Sonatype’s Brian Fox. In fact, as the implications of this newly disclosed vulnerability begin to become clear, you’d be hard pressed to find a security expert who wasn’t extremely worried by it. And to follow on social media over the weekend of 11 and 12 December 2021, as the security community wrestled with the implications of Log4Shell, you could be forgiven for thinking that the sky had fallen in already. So what do defenders need to know? Unfortunately, in this instance melodrama is something of an understatement; the community’s reaction is to some extent entirely justified. The zero-day, which is tracked as CVE-2021-44228, was made public at the end of last week, ...
Features in this issue
It’s been described as a ‘design failure of catastrophic proportions’ that threatens the very fabric of the digital world. Find out what the Log4j2 Log4Shell panic is all about, and what you should do about it
We take a look at the SASE environment and what challenges and benefits lie ahead in the adoption of secure access service edge
The government has agreed to pay compensation to former subpostmasters wrongly convicted in the Post Office Horizon IT scandal, but continues to refuse to pay a significant group of victims