The Log4j mess

For those who have not yet seen it, thisadvisory from Apache describes a nasty vulnerability in the widely usedLog4j package.

Apache Log4j2 <=2.14.1 JNDI features used in configuration, logmessages, and parameters do not protect against attacker controlledLDAP and other JNDI related endpoints. An attacker who can controllog messages or log message parameters can execute arbitrary codeloaded from LDAP servers when message lookup substitution isenabled. From log4j 2.15.0, this behavior has been disabled bydefault.

Updating this package is, of course, necessary, but that will only help somuch; it is bundled into a lot of other deployed products.For more information seethisArs Technica article or, for desperate cases,the Logout4Shellutility.