Originally posted by StiffLegged Just to be clear: this vulnerability is with Java on Apache installations?
It's with a certain Java library called log4j, which (unsurprisingly) is used to write application logs... except that an attacker might control what's written in the log, and the vulnerability means they could gain access to the system this way.
I'm not exactly clear on what it does and how; that's a subject for tomorrow (i.e. work day
)
But the advice to update Java stands. Later versions (even later Java 8 versions) would mitigate at least partially this issue.
log4j is not used only by Apache web server.