A new security vulnerability named ‘Log4Shell’ was disclosed late last week and is already being exploited by attackers across the Internet due to its severity and relatively ease of exploitation. This vulnerability affects a component of Apache web server software that is widely used for enterprise web systems or systems that rely on web interfaces. The technical write-up on Ars Technica provides an appropriately sobering overview of this flaw:
“In a best-case scenario, major brokerages, banks, and merchants will invest huge sums in overtime costs to pay large numbers of already overworked IT employees to mop up this mess during the holidays. You don’t want to think about the worst-case scenario, other than to remember the 2017 breach of Equifax and the resulting compromise of 143 million US consumers’ data that followed when that company failed to patch against a similarly devastating vulnerability.”
The Division of Information Technology has already begun scanning and tracking our servers and web systems that could be affected. In order to protect the confidentiality of data stored or transmitted on these systems, we will be applying fixes as soon as they’re made available from software vendors. These fixes could result in short maintenance windows outside of our normal monthly updates.
More information will be made available as we know it.
You can read more about Log4Shell here: https://apnews.com/article/technology-business-lifestyle-software-apple-inc-aed3cc628fc602079b100757974c8f01