As Christmas 2021 approaches, spare a thought for your sysamins, for your IT team, and for your cybersecurity staff.

There may be plenty of mice stirring all through the IT house right up to Christmas Eve…

…because that’s the deadline set by the US Cybersecurity and Infrastructure Security Agency (CISA) for patching the infamous Log4Shell vulnerability, a dangerously exploitable flaw in Apache’s widely used Log4j (Logging for Java) programming toolkit.

Since news first broke of the problem on 09 December 2021, Apache has a-patched the code not once but three times, variously fixing CVE-2021-44228 with version 2.15.0, quickly followed by 2.16.0 to fix a related bug dubbed CVE-2021-45046, foillowed quickly yet again by 2.17.0 to deal with CVE-2021-45105.

Why the pressure from CISA? Why the rush when we’re supposed to enjoying a global holiday season? Why not wait until New Year and deal with things then?

Here’s why your sysadmins are taking one (three, actually) for the team…

Log4Shell Response and Mitigation Recommendations

Advisory: 2021-007: Log4j vulnerability – advice and mitigations

Apache Log4j 2 v. 2.17.0 User’s Guide