Log4shell (Log4j) Information

January 2022

About Log4shell

Log4shell is a critical vulnerability in the widely-used Java-based logging tool named "Log4j".

A vulnerability was recently discovered and subsequently made public last month which could allow an attacker to break into systems, steal passwords and logins, extract data, and infect networks with malicious software.

Log4j is used across software applications and online services worldwide, and the vulnerability requires very little expertise to exploit. This makes Log4shell potentially the most severe computer vulnerability in years.

Is MIDAS affected?

In short - No - our software and servers are not affected by this vulnerability.

Almost all software has some form of ability to log (for development, operational and security purposes), and Log4j is a very common component used for this. However, the logging used by both our software and our servers do not use Log4j. Consequently, our MIDAS software and servers are not vulnerable to Log4shell.

What about self-hosted MIDAS systems?

If you run a self-hosted edition of MIDAS (where our software is running on your own server and infrastructure), then you would need to determine whether your server/infrastructure is potentially vulnerable to Log4shell.

Our MIDAS software itself doesn't require or utilize Log4j, however that doesn't necessarily mean that your own server won't be running this logging utility in some capacity.

If in doubt, updating your server software and Log4j (if applicable) should mitigate the Log4shell vulnerability.

Where can I learn more about Log4shell/Log4j?

More information on Log4j/Log4shell may be found via the following links:

The Log4j vendor's (Apache) own website.
Wikipedia.
The UK's National Cyber Security Centre.
The Cybersecurity & Infrastructure Security Agency's alert.