On November 24th, a month before Christmas, for sure, members of the Apache Foundation had some cold sweats or might have canceled their Christmas holidays, when an expert from Alibaba warned them about a zero-day vulnerability for one of their tools Log4J.
Log4J stands for Log for Java. It is a library helping to journalized your program’s activities.
It is massively used within companies and services from Apple, Google to Minecraft, Steam and induces over a billion devices and potential users to be impacted.
This, obviously, makes it feel like the breach of the millenium as also, the exploit is easy-to-perform and allows to execute RCE on any system using Log4j.
Despite some criticisms that some can argue against the Apache foundation and the Open Source model, facts are there.
Within a few days, a workaround was given and a new release is already available to patch those vulnerabilities.
For now, it is too early to know if actual attacks, ransomwares have been performed through this particular vulnerability.
But it seems certain we will keep hearing about it for the next few weeks.
to get the last patched version of log4j: https://logging.apache.org/log4j/2.x/changes-report.html#a2.16.0