The Impact of the Log4j Vulnerability
The Video
In Simple Terms...
Log4j is an open source logging framework from the Apache Foundation. Its primary purpose is to facilitate application logging for web applications. What makes it dangerous is the ability to execute arbitrary commands on the server, simply by submitting a particular string to a field that the application then stores in the log file(s). For example, renaming your iPhone to the exploit string can trigger the vulnerability on Apple's iCloud servers. Hopefully this is fixed by now.
Coupled with an extensive amount of adoption from large and small companies alike, this simple exploit is being abused in the wild by malicious actors. Problems range from:
Data disclosure
Remote Code Execution (RCE)
Server takeover
Denial of Service (DoS)
An iPhone device information screen with name changed to contain the exploit string. Image: Cas van Cooten / Twitter
Consumer Actions
Be aware that many breaches are likely to stem from this and will trickle out over the coming weeks and months. The attack surface is extremely large and thus the total damage is difficult to estimate at this time. We'll keep our post updated as new information becomes available. If you have specific concerns, please use the contact form (top right corner of this page) to reach out to us.