Here's Why The Log4j Security Vulnerability Has CISA Pressing The Panic Button
Yesterday, the agency had a phone briefing with "critical infrastructure stakeholders" about the flaw. As a refresher, a string processing vulnerability in Apache's Log4J logging package—included in dozens of other huge software packages and used on hundreds of thousands if not millions of machines worldwide—allows a remote user with a carefully-crafted input string to gain full remote code execution on the vulnerable system without any credentials required whatsoever.
Financial Times reports Check Point as commenting that almost half of the attacks have been performed by known cyber-attackers who are using the vulnerability to spread malware. Meanwhile, SentinelOne and Mandiant have apparently both commented that Chinese state-sponsored cybercriminals are actively exploiting the flaw. Still other groups are using the flaw to mine crytocurrency on the exploited systems, particularly Monero.
As severe as the Log4J vulnerability is, most desktop users don't really have to worry about their own systems. The concern is primarily for web-facing servers hosting internet services. If you're a sysadmin, you're almost certainly already patching your systems, but just in case, it might not be a bad idea to go ahead and poke all your software to have it check for updates.