The widespread logging library log4j has a critical vulnerability that allows attackers to execute arbitrary code on victim systems (remote code execution).
It is therefore strongly recommended to patch affected systems and applications, or to make it more difficult or prevent the exploitability of the vulnerability by changing the configuration or isolating affected systems.
The library is a Java library. It should therefore be checked for all systems whether they have a Java installation as a prerequisite or whether they have Java installed. In the case of Java systems, it must be checked whether they are using the affected log4j library.
Under the link
https://github.com/NCSC-NL/log4shell/blob/main/software/README.md
A list of affected providers can be viewed.
DANGER! This list is not complete and is only an excerpt from the source given above. Many other providers will probably be affected who have not yet commented on this.
log4j should be updated to the current version 2.15.0 as soon as possible. Because it is often not possible for users to update the library independently within applications in which it is used, it must be checked whether the suppliers and manufacturers of affected products provide a security update that must be applied.
Where an update is not possible at short notice, two workarounds are currently recommended.
1. From log4j version 2.10:
Setting the environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS to true
2. From log4j version 2.0-beta 0 and higher:
The JndiLookup class can be deleted from the classpath. (manufacturer's recommendation)
This is possible with the following command:
zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
3. Exchange of affected jar file:
It must first be checked whether it is possible to exchange the file. The manufacturer documentation for the affected products should be consulted for this purpose.
