Apache Log4j is a Java-based logging platform that can be used to analyse web server access logs or application logs. The software is heavily used in the enterprise, eCommerce platforms, and games, such as Minecraft who rushed out a patched version earlier on 10th December 2021.
Any organisation running Apache Tomcat webservers with Java dependencies should be aware. An unauthenticated, remote attacker could exploit this flaw by sending a specially crafted request to a server running a vulnerable version of log4j.
While Apache published a release candidate on December 6 to address this vulnerability, it was incomplete. Apache released 2.15.0 on December 10. Log4j 2.15.0 requires Java 8. Therefore, organisations that use Java 7 will need to upgrade before being able to update to the patched version of Log4j.
If patching is not immediately possible, there are three mitigation options suggested by Apache. More information here on CVE-2021-44228 by Tenable.
Other Resources and information: