Log4J Zero-Day: What it is and why Webgains is immune

On Thursday 9th December, security researchers found a new zero-day vulnerability in the Apache Log4j Java library. The vulnerability, which enables attackers to gain full control of affected servers, is easy to exploit and is indeed already being exploited in the wild.

Although the vulnerability was first discovered in video game Minecraft, any systems and services that use the Java logging library, Apache Log4j between versions 2.0 and 2.14.1 are affected and at risk. Fortunately, neither the Webgains platform nor tech stack are under threat; our affiliate marketing network doesn’t make use of Log4j and Webgains isn’t built on Java or Java libraries.


Neither the Webgains platform nor tech stack are under threat; our affiliate marketing network doesn’t make use of Log4j and Webgains isn’t built on Java or Java libraries.


What is a Zero-Day vulnerability?
A zero-day exploit is an exploit that is unknown by the vendor of software and is used before it is patched.

More about Log4j
Log4j is an open-source Java-based logging tool available from Apache, used to log error messages in applications. It will interpret a log message as a URL, go and fetch it, and even execute any executable payload it contains with the full privileges of the main program. It’s widely used across many Java applications and infrastructure.

Log4j runs in many libraries including Struts 2, Solr, Druid, Flink and Swift frameworks, and is used in many enterprise-level software applications across the world including systems used by Azure, Dell and Amazon to name a few. The sheer volume of devices at risk combined with the ease with which they can be exploited, means that this vulnerability must be taken extremely seriously in both public and private sectors.

Please refer to Juniper Threat Labs diagram below to understand this Log4j vulnerability, tracked as CVE-2021-44228.

What happens now?
The central advice coming from US federal body CISA at this moment is to identify internet-facing devices running Log4j and upgrade them to version 2.15.0, or to apply the mitigations provided by vendors “immediately”. But it also recommends setting up alerts for probes or attacks on devices running Log4j.  

Apache has already released a security patch that disables the system that can be exploited, and this update is now being deployed across all companies that maintain and host this software.

2 days ago
The third session from Webgains Transform Series 2 - 'The Post-Pandemic Consumer' - will be available to watch free via our Academy from 10am GMT tomorrow morning.

Learn more and register - https://t.co/Mg6OC7xvfg

#WebgainsTransformS2 #AffiliateMarketing https://t.co/DiLKXUXj41
4 days ago
Performed for the @SkySports cameras this evening 🎥. A fantastic victory with so many key injuries at the moment. https://t.co/nozMRPbCZJ
5 days ago
Let's go @BristolFlyers! Lots of eyes on this one as it's live on Sky Sports. https://t.co/uRAiefQvnf
5 days ago
𝗧𝗿𝗮𝗻𝘀𝗳𝗼𝗿𝗺 𝗦𝗲𝗿𝗶𝗲𝘀 𝟮 𝗶𝘀 𝘂𝗻𝗱𝗲𝗿𝘄𝗮𝘆. 𝗥𝗲𝗴𝗶𝘀𝘁𝗲𝗿 𝗳𝗿𝗲𝗲 𝗻𝗼𝘄 𝘁𝗼 𝘄𝗮𝘁𝗰𝗵 𝗮𝗹𝗹 𝘀𝗲𝘀𝘀𝗶𝗼𝗻𝘀 𝗼𝗻 𝗪𝗲𝗯𝗴𝗮𝗶𝗻𝘀 𝗔𝗰𝗮𝗱𝗲𝗺𝘆 𝗮𝘀 𝘀𝗼𝗼𝗻 𝗮𝘀 𝘁𝗵𝗲𝘆 𝗮𝗿𝗲 𝗿𝗲𝗹𝗲𝗮𝘀𝗲𝗱.

Register - https://t.co/342Hduc9oo

#WebgainsTransformS2 https://t.co/U1HRbcio8P