As you may be aware this information below was released by the UK’s National Cyber Security Centre last week with regards to Log4j vulnerability. NetworkTV servers are web-based products that do currently use Log4j.
Log4j vulnerability – what everyone needs to know
Information about the critical vulnerability in the logging tool, who it could affect and what steps you can take to reduce your risk.
Log4shell is a critical vulnerability in the widely-used logging tool Log4j, which is used by millions of computers worldwide running online services. A wide range of people, including organisations, governments and individuals are likely to be affected by it. Although fixes have been issued, they will still need to be implemented.
What’s the issue?
Last week, a vulnerability was found in Log4j, an open-source logging library commonly used by apps and services across the internet. If left unfixed, attackers can break into systems, steal passwords and logins, extract data, and infect networks with malicious software.
Log4j is used worldwide across software applications and online services, and the vulnerability requires very little expertise to exploit. This makes Log4shell potentially the most severe computer vulnerability in years.
Who is affected by this?
Almost all software will have some form of ability to log (for development, operational and security purposes), and Log4j is a very common component used for this.
For individuals, Log4j is almost certainly part of the devices and services you use online every day. The best thing you can do to protect yourself is make sure your devices and apps are as up to date as possible and continue to update them regularly, particularly over the next few weeks.
For organisations, it may not be immediately clear that your web servers, web applications, network devices and other software and hardware use Log4j. This makes it all the more critical for every organisation to pay attention to our advice, and that of your software vendors, and make necessary mitigations.
What is Log4j?
Modern software can be large, powerful, and complex. Rather than a single author writing all the code themselves as was common decades ago, modern software creation will have large teams, and that software is increasingly made out of ‘building blocks’ pulled together by the team rather than entirely written from scratch. A team is unlikely to spend weeks writing new code when they can use existing code immediately.
Log4j is one of the many building blocks that are used in the creation of modern software. It is used by many organisations to do a common but vital job. We call this a ‘software library’.
Log4j is used by developers to keep track of what happens in their software applications or online services. It’s basically a huge journal of the activity of a system or application. This activity is called ‘logging’ and it’s used by developers to keep an eye out for problems for users.
NetworkTV has evaluated the risks and developed an update which is no longer uses Log4j. Many NetworkTV system installations are potentially not at risk because they are not connected to the internet but of course it would be preferable to ensure that any future risk is also removed and the product supportable by use of the updated version.
Please contact your System Integrator in the first instance who will liaise with us regarding your chosen path forward.