This is the largest vulnerability we have seen in years.
1. **You may still be vulnerable even if your project is not based on Java.** Many tech stacks are vulnerable because so many tools use the Log4js including infrastructure, dev-tools, and CI/CD products.
2. **Log4Shell will be here for a while.** Log4j is a basic core component that is already in use in many products, including network devices, management consoles, and enterprise software and hardware. They just cannot be upgraded in a few days.
3. **Companies may still be vulnerable even if the vulnerable host is deep inside its network perimeter.** The root cause of this issue is a simple string that could be logged by a vulnerable server through many hops — and trigger the remote code execution somewhere deep inside the perimeter.
4. **There will be breaches.** So, yes your personal private data is at risk as well. On Github, someone has posted screenshots of successful exploitation resources of large enterprises including Apple, Tesla, and Microsoft services.
5. **WAFs cant protect in full.** The exploit can come through [any protocol](), including APIs like [gRPC]() and [GraphQL](), or for example DNS or UDP. WAFs are not really helpful here.
See how Wallarm addresses the Log4j vulnerability for its customers [in the relevant blogpost]().
The post [5 things you must know about Log4Shell]() appeared first on [Wallarm]().Read More