A zero-day vulnerability is a software flaw even the provider doesn’t know about. Stockpiled by governments and attackers, ‘zero days’ rarely affect massive portions of the internet all at once. Log4j is the exception.
As an online finance system, Xledger has zero vulnerability to Log4j. However, as a software provider, Xledger wants to raise the issue of log4j for both our customers and any others that come across this blog. A substantial minority stands at immense risk of missing the vulnerability and exposing vital attack surfaces to attackers.
What is Log4j?
A team of researchers discovered a flaw in Java-based servers and development frameworks. Crafted by Apaches Software Foundation, Log4j allows developers to record user behavior within a Java library. Despite decreasing popularity, Apache’s logging software has been downloaded millions of times, and systems from email to gaming stand at risk.
But risk of what? Log4j could allow hackers to executive remote commands on a target system. Here’s where the zero-day vulnerability comes into play: researchers have no idea how many attackers have already exploited this.
Readers can get a full list of vulnerable products here. Apache has released a fix (including to a second Log4j flaw), and nearly a week later, the majority of software most Americans use will have heard about and already implemented fixes for the Log4j vulnerability.
However, you need to ensure that your technical department both knows about the flaw and has Apache’s current version, a step essential to securing the latest patches.
How did Xledger react?
“I communicated with our IT & R&D teams,” said Nathan McCann, president of Xledger USA, “and am pleased to report that Xledger’s systems and software don’t leverage the Log4j logging library or any of the corresponding Java-based services. We have technology and teams in place to prevent and mitigate such risks.”
Although Xledger does not employ Log4j, Xledger’s security team notified our customers. “Our technology teams will be continuously monitoring this situation and will remain alert for future threats,” McCann affirmed.
“Further, Xledger takes any potential vulnerability very seriously and we will continue to be ever-vigilant to ensure the protection and safety of the data our customers entrust to our care.”