The Log4Shell Vulnerability

A zero-day vulnerability involving remote code execution in Log4j 2, given the descriptor "Log4Shell" (CVE-2021-44228), was discovered on December 9th, 2021. Although it was discovered through a bug bounty program for the popular game Minecraft by Chen Zhaojun of Alibaba Cloud Security Team, its effects reach far beyond the game.

This software is used by many websites and applications, mainly to perform tasks such as logging information for use by that website's developers, for debugging and other purposes. If exploited, the vulnerability allows remote code execution on vulnerable servers, giving bad actors the ability to import malware that would completely compromise machines.

Mesh’s technical team began investigating the extent of the issue over the weekend and a communication was issued to all partners on Monday 13th, December.

This vulnerability is NOT present in any of our external, customer facing systems.

Any potentially impacted internal systems have now been patched and we can confirm that no malicious activity has been detected.

As this is a dynamic situation, we will continue to monitor further developments and will keep our partners updated.

Further Reading:

https://nvd.nist.gov/vuln/detail/CVE-2021-44228

https://logging.apache.org/log4j/2.x/

https://www.theverge.com/2021/12/10/22828303/log4j-library-vulnerability-log4shell-zero-day-exploit