Skip to site content
U.S. Department of Health and Human Services
Office of Information Technology (OIT)

Log4j Vulnerability: What It Is, Why It Matters, What You Should Do

Log4J title graphic.

What is the Log4j vulnerability?

Log4j is a popular software library that public and private organizations of all sizes and across many industries use to log security and performance information in services, websites, and applications. Software developers have discovered a number of vulnerabilities, including ones that allow a remote attacker to take control of an affected system and another that can deny access to system users.

Why does it matter?

Log4j is an Apache Software Foundation product. This foundation is the world’s largest free software product provider. These products are available to anyone, free of charge, and have been requested from every Internet-connected country on the planet. In short, Apache software products are very popular, and any attack on an Apache product makes every company or person using it vulnerable. In fact, this software exists on many systems and products without the owner’s knowledge. This includes personal equipment and software, like the Minecraft environment or some Internet of Things devices.

The Log4j vulnerability, also known as the Log4Shell hack, is zero-day, meaning that the vulnerability was discovered before a patch (fix) was available, giving attackers an immediate advantage. When Apache discovered the issue, the company released at least three patches, two of which have also contained vulnerabilities.

Stack of logs with 4J written on one.
A popular programming language, Java, often uses Log4j for logging purposes; any application or software that uses Java could be impacted. The number of systems using Java is not quantifiable, but conservative estimates count the number in the billions. Java is embedded in many products and services, including: routers, software, and server infrastructures including Microsoft, Amazon, Amazon Web Services, and Twitter. The Cybersecurity and Infrastructure Security AgencyExit Disclaimer: You Are Leaving www.ihs.gov  states that “Successful exploitation can occur even if the software accepting data input is not written in Java; such software is able to pass malicious strings to other (back end) systems that are written in Java.” Finally, an environment may be compromised without a direct connection to a system running Log4j. For instance, if a third-party vendor is attacked and you connect to them, your system becomes vulnerable. Systems using web browsers are vulnerable, as threat actors can exploit the vulnerability using internet protocols HTTP and HTTPS.

What should I do?

DOs DON'Ts
Continuously monitor the Apache Log4j Security Vulnerabilities webpage: https://logging.apache.org/log4j/2.x/security.htmlExit Disclaimer: You Are Leaving www.ihs.gov  Don’t connect your government-furnished equipment to home devices like printers or scanners.
Update to the most recent version of Log4j. Don’t wait to take action to protect your devices and network.
Apply the most recent patches for Log4j by visiting your device/vendor website and downloading available security updates.
Set your computer and smartphone to download software updates automatically.
Check manufacturer websites to update your internet-connected devices such as routers and printers.
Use multi-factor authentication for personal and professional accounts.
Visit providers like Microsoft, Amazon Web Services, Google, and your internet service provider for updated guidance.

Looking Ahead

Due to its presence across so many industries and environments, this vulnerability will be with us for the next several months as manufacturers and vendors develop patches to fortify systems and products. Please continue to practice good cyber hygiene and keep a look out for future patch releases.

If you notice any unexpected or abnormal behavior while using IHS equipment or systems, please contact cybersecurity@ihs.gov.

Resources & Additional Information

Apache Log4j Security Vulnerabilities
https://logging.apache.org/log4j/2.x/security.htmlExit Disclaimer: You Are Leaving www.ihs.gov 

Apache Log4j Vulnerability Guidance
https://www.cisa.gov/uscert/apache-log4j-vulnerability-guidanceExit Disclaimer: You Are Leaving www.ihs.gov 

GitHub Repository
https://github.com/cisagov/log4j-affected-dbExit Disclaimer: You Are Leaving www.ihs.gov 

How to Respond: The Apache Log4j Vulnerability Clearly Explained
https://www.upguard.com/blog/apache-log4j-vulnerabilityExit Disclaimer: You Are Leaving www.ihs.gov 

Log4j: How to protect yourself from this security vulnerability
https://www.techrepublic.com/article/how-to-protect-yourself-from-the-log4j-security-vulnerability/Exit Disclaimer: You Are Leaving www.ihs.gov 

Log4j Zero-Day Vulnerability Response
https://www.cisecurity.org/log4j-zero-day-vulnerability-response/Exit Disclaimer: You Are Leaving www.ihs.gov 
Dropped cup of coffee spilling out Java code.