Apache Log4j 2.0 - remote code execution vulnerability

[mkvjetta]

Hey everyone, I'm a new IT Manager for a local company here in Michigan. We are running Nessus to scan our servers for vulnerabilities and one of the risks is Log4j was flagged. It wants us to update to the latest version. However, i am not familar with Log4j , its features or what it really does to be honest.

Can i please get some assistance on how how to update the program to the latest version?

TIA,
Anthony

[vy]

Hey @mkvjetta! Your description hints that you have certain applications that depend vulnerable versions of the Log4j library. In December 2021, there was found a highly critical Log4j vulnerability, and it got patched. Apache Logging Services – the Apache Software Foundation project maintaining Log4j, Log4cxx, and some other sub-projects – publishes a security bulletin of known vulnerabilities, you can check that out for details.

We recommend you to upgrade your Log4j library to the latest version, that is, 2.23.1 as of date. How to upgrade Log4j depends pretty much on your application and its setup. It is difficult to give you instructions without knowing much about your context. I advise you to consult to your engineers/administrators responsible for the software Nessus flagged. You can also check out the Log4j website on how to download, install, etc. There are also community support channels, where commercial support options are listed too.