In this latest release from the Canadian Global Affairs Institute, PhD Candidate Alexander Rudolph explains the recent Log4j vulnerability and examines its implications for both government and the private sector.
On December 10, 2021, the Canadian Centre for Cyber Security (CCCS) issued a security advisory regarding a critical vulnerability and called for users and network administrators to make the needed changes and updates to mitigate the threat. The vulnerability is in Apache Log4j, a widely used open-source tool for logging and recording activity in specific software applications and online services. The Log4j tool is so ubiquitous that some media are writing headlines such as “The Internet is on Fire.” Many industry insiders describe the vulnerability as among the worst in a decade, and have given it a severity score of 10/10.
So how bad is it, really? So bad that Quebec shut down almost 4,000 websites – just as a precaution. Even the federal government is not immune to the potential threat. The Canada Revenue Agency and Public Services and Procurement Canada, among others, have systematically taken down service infrastructure that might be affected, as a precautionary measure. But how bad can vulnerability in a logging application be?