TL:DR (but do read to understand why)
Infotex’s primary base of WordPress sites are not affected by this but do check your external systems.
What is Java?
First developed in 1995, Java is a popular programming language that you may be using without even knowing it! All Android phones are based on the Android Runtime which is itself a derivative of Java.
Java is a very structured language known by developers for embodying Object-Oriented-Programming methods and being platform agnostic, i.e. code written in Java will run equally well on Windows, Apple’s MacOS, Android phones and a plethora of esoteric platforms.
At one point it was commonplace to embed Java “applets” into web pages, however due to the power of Java this was found to be a very risky practice and modern browsers do not permit this.
What is Log4j?
In computing most systems output status updates for diagnostic purposes, some systems make these available to users while others hide them from public scrutiny by writing to logs thus allowing developers to understand what went on when something failed.
Log4J is a utility overseen by the well known Apache Foundation which is coded in Java and is designed to process log requests either from Java applications or third parties and can apply a raft of highly complex rules to understand when a status update is routine vs. critical in nature.
Because it is so powerful yet easy to configure, this has been used in a wide variety of purposes, both bundled with Java systems and deployed to process logs from other systems (one example might be to take web server logs and promptly raise a support ticket when certain classes of error occur).
What happened?
There is a highly publicised bug in Log4j from version 2.0-beta9 – 2.14.1 which is technically known as CVE-2021-44228 but more commonly by the nickname “Log4Shell”.
This was announced on 9th Dec 2021 before its maintainers were even aware of it, it appears attackers had been taking advantage of it for at least a week prior and as such is given the “Zero-day” moniker and scores the highest possible severity rating of 10/10.
Basically, on systems not configured with formatMsgNoLookups, the vulnerability allowed an attacker to create a request which would be processed by Java’s Naming & Directory Interface (JNDI) and would cause the server to make an external request and potentially execute code provided by a third-party attacker. That’s about as bad as things can get when a system is intended to process logs that anyone can initiate in web scenarios.
There are already reports of attackers using this bug to run bitcoin miners earning money for the attacker on afflicted servers.
Fixes were provided by log4j’s maintainers in version 2.15 with a subsequent release to more fully disable potential attack vectors in 2.16.
The US Cybersecurity and Infrastructure Security Agency (CISA) estimates that there are hundreds of millions of devices that are (or were) vulnerable to Log4Shell.
What’s Infotex’s position?
Infotex’s core online platform is WordPress which runs on a PHP platform and none of our log processors run log4j, nor do our client servers have Java installed.
As such our primary base of client sites are not affected.
Since the news of this vulnerability broke on Friday our team reached out to a number of specialist suppliers who offer services (e.g. custom search facilities) to specific clients which could be impacted and have received confirmation from those suppliers that fixes are being, or have already been deployed.
We have also evaluated a number of tools that we use internally (Log4j is also in use on some desktop utilities although the window of opportunity for an attacker there is minute as those systems are not available for attack online) and we have installed updates where applicable for these tools.
Pro-active protection
We frequently recommend Cloudflare as a security & performance option to clients and it is worth noting that any websites with Cloudflare’s WAF deployed were protected from attack soon after news of this issue broke as they enabled an emergency firewall rule to block potential exploits.
Do I need to take any action?
If your website is managed and hosted by Infotex then the likelihood is that you do not need to take any action. If you have websites hosted by anyone else, then you will need to check with those respective hosts to clarify their position. You should also check that you do not have any vulnerable installations of Log4j on your desktop or devices within your business, as it can be utilised in desktop programs.
There are several resources online trying to pull together software vendors statements clarifying whether any updates are needed etc.
One such list can be found at: https://gist.github.com/SwitHak/b66db3a06c2955a9cb71a8718970c592
Keeping your computers and website safe is a constantly evolving challenge and requires co-operation from all parties and this demonstrates the need to know who provides what and ensure that they are managing those systems effectively.
