Skip links

CTS Update: Log4j Vulnerability


Happy Monday,

We’re here to give you an update on the Log4j exploit that’s been recently discovered and causing a lot of concern.

First, we are fully aware of the wide-ranging consequences of cyber security incidents and take them very seriously. Our team closely monitors any breach and vulnerability, and takes immediate action to protect our clients. This exploit affects cloud-based services, not your devices. Therefore, we do not need to make any changes or updates to them. We are closely working with all of our cloud-based service providers to confirm any vulnerability (if it exists) is addressed. At this time, we do not have any reason to believe this exploit is a concern for any of the services we provide. Below is a short explanation of the vulnerability:

What is this exploit about?

Many, many servers (including internet servers) use a programming language called Java. Java has been around for a quarter of a century at this point, which in computer technology time, is a very long time.

One of the oldest Java plugins (called libraries) for logging things in a server is called “Log4J”. Log4J has been around for almost 20 years now, so there are also many servers out there that use it.

Something that almost every server must do, over time, is generate logs of text. For example, “At 12:23pm user 67456 submitted a review for product 7635824: This is the best toothbrush I’ve ever purchased!”. Log4J is used to log text like this.

It turns out that some versions of Log4J have a critical vulnerability where, if a specially formatted piece of text is saved to a log that is handled by Log4J, an arbitrary command can be executed in that server. So, for example, “At 12:23pm user 67456 submitted a review for product 7635824: {send user 82738’s private account details to}”

This example is simplified a lot, but they hopefully communicate the basic nature of the threat.

Unfortunately, as an individual, there’s not a lot that you can do about any of this. First off, it’s difficult to know which of the internet services that you use depend on Java. Secondly, it is virtually impossible to know which of these services use Log4J. Thirdly, it is even more impossible to know which versions of Log4J they are using.

As always, we’ve got your back and are doing everything we can to keep you safe.

– CTS Care Team