Malwarebytes products not impacted by Log4j “Log4Shell” vulnerability
On Thursday, December 9, 2021, the world learned of a critical vulnerability in the Apache Log4j logging utility. Log4j is a software component that’s included in a huge number of websites and applications, all of which are now potentially vulnerable to attack.
Malwarebytes is aware of the vulnerability and has determined that it does not currently impact Malwarebytes products or services.
The software vulnerability, officially designated CVE-2021-44228 but also referred to as “Log4Shell’, has the highest possible severity rating. Affected systems can be compromised by sending them a simple malicious instruction, which can be delivered in a variety of different ways. Successful attacks can be used to steal data or run malicious code on affected systems, over the Internet, with basic resources and skills.
Exploitation of vulnerable systems began soon after the news broke, and the tactics used to exploit the flaw have evolved rapidly since. Criminals have developed obfuscation techniques that allow their malicious instructions to bypass filtering rules, and researchers have shown that attacks work on systems running any version of Java, not just systems running older versions as was first thought.
It’s expected that Log4Shell will be widely exploited by threat actors looking to break into corporate servers and networks, and a significant collective effort over many months may be required to protect all affected systems.
The first step in defending against these attacks is to identify vulnerable software. As soon as we learned about the vulnerability, we immediately investigated to determine any exposure of our products, customers or company systems. Our research indicates that Malwarebytes products are not impacted by this vulnerability. Any backend or internal corporate systems that are found to be vulnerable are being patched/upgraded and continuously monitored after patching is complete. We are also in contact with our vendors as a part of our rigorous third-party risk management process to further assess any potential vulnerabilities or impact.
The software flaw affects Log4j versions 2.0-beta9-2.12.1 and 2.13.0-2.14.1. Although 2.15.0 includes a fix for Log4Shell, it is still vulnerable in some non-default configurations. In all cases the most effective protection is to install the latest version, 2.16.0. Where installing the latest version isn’t possible immediately, please consult the Apache Log4j Security Vulnerabilities page for mitigations.
We will provide additional updates as we have new information or recommendations.