[20220207]IN11824_信息技术中的系统性漏洞——Log4Shell.pdf

CRS INSIGHT Prepared for Members and Committees of Congress INSIGHTINSIGHTi i Systemic Vulnerabilities in Information TechnologyLog4Shell Updated February 7, 2022 There is critical vulnerability in software used by millions of internet servers. Since its discovery both criminals and nation-state actors have reportedly exploited it. It is uncertain how many entities are vulnerable, but it is presumed there are many. This CRS Insight describes the vulnerability and federal government response considerations. Log4Shell Log4j is an open-source tool the Apache Foundation makes available for logging web server activity. To work, Log4J has to access many network services (e.g., network maps and directories). Malicious actors discovered a way to use the Log4j tool to send commands that give them control of the servers. The cybersecurity community named this vulnerability Log4Shell. Log4Shell exploits have been observed to mine cryptocurrencies and expand botnets. Apache Foundation software is very useful and freely available, so it is widely deployed. Hundreds of software projects maintained by the foundation rely on volunteer developers and are supported by donations and sponsorships. Res