Ease of use and no formal support (open source) make #Log4j a perfect ingredient for the expansive security risk recipe. If a vulnerability is found in it, it would be hard to fix as it is used everywhere. And that is what happened.

Log4j is a popular logging framework for #Java, which has been in development since 1999. It is used to log information from an application. It can be installed and configured to log various data such as java exceptions, SQL queries, and system events. It was created by #Apache Software Foundation. Log4j does not have any dependencies on other libraries, which makes it lightweight and easy to integrate with other software.

The Log4j library has been making headlines recently after it was publicly disclosed that there are three critical #vulnerabilities in the software. These vulnerabilities allow an #attacker to #execute arbitrary code #remotely on vulnerable systems. We have a special term for this - #RCE, Remote code execution.

That is scary! "We need to fix it", you would say.

But it is hard to find all the places where it was used because it was used everywhere. And it is hard to fix it as you need expertise; no vendor is available.

A recent paper by the Wall Street Journal has revealed that some of the most common security flaws in software are not being addressed due to a lack of resources. Log4j gets in a row with others. The consequence is that these vulnerabilities will remain present in the community for at least the next three to five years.