Another day, another 0-day (brand new, limited mitigation) vulnerability. This time, Java installations are the target. This is a developing situation, and you can find additional information here:
https://nvd.nist.gov/vuln/detail/CVE-2021-44228
What happened? Meet Log4Shell. This exploit uses a vulnerability in a library (component) of Java named Log4J (version 2 or newer), a logger of application/system activity. Global monitoring services already show that Log4Shell is being actively attempted in systems providing services to network/remote users, such as web servers, enterprise application servers, game servers, etc.
Cloud providers using Java are at risk, just like an enterprise or a small business using software that has Java built into it. The good news is that the vulnerability has already been fixed with a Java hotfix. However, in many cases, as Java is one part of an application, you will need to resolve this on a case-by-case basis. Recommended actions are to review each server application you host, local network or Internet-accessible, for Java presence. Update each affected application that uses Java when a hotfix is available.
Any operational software developer that uses Java in their app is well aware of this vulnerability and actively working on a fix if it is not already available. Review release notes and upgrade paths as sometimes you may need to update multiple versions to get to the current version. Take temporary virtual machine snapshots where applicable before installing in case a revert is necessary.
