Happy Tuesday, folks - Chad here. Yup, I’ll just shut up now, and we can start screaming about Log4j. There are obviously other stories in security news this week, but man...never mind those for today. Let’s get the obvious part for Admins out of the way:

That pretty much sums up how most of my friends in Security feel this week. So now that we’re all laughing instead of crying, it’s alphabet soup time, I guess: WTAH*eck is Log4j? Well, if you haven’t read by now, here’s a TL;DR: Log4j is an open-source Java library from Apache. It’s been downloaded ~500k times from GitHub and is pretty widely-used for things like event logging in applications. Among other things. 

It’s already being exploited, and could get pretty wild if not widely remediated ASAFrigginP. @Brittany  recently posted a thread that contains a “quick fix” worklet, so be sure to check that out. “10 out of 10” is like, pretty bad, y’all. Even the government has taken quick action. I mean, read that last sentence again! :) 

If you have any questions about AX and Log4j, please don’t hesitate to ask. However, Brittany’s post should provide all the answers. We’ll also cover it in our Patch Tuesday webinar for December, featuring special guest - our very own @Chris.Hass, Director of Information Security and Research. Be sure to save your spot right here: https://patch.automox.com/december-2021-patch-tuesdayLog4j version 2.15.0Log4j version 2.15.0