New log4j critical vulnerability? No problem

Recent news of a log4j critical vulnerability put the whole internet to work (at least the part of it running JVM). Especially since big organisations like the UK National Cyber Security Centre have flagged it as potentially of board-level concern.


Why is it such a big deal?

Log4j is a library used almost everywhere Java is used, as a first-class dependency or pulled by other higher-level libraries. The new vulnerability (called log4shell) allows hackers to execute code remotely – something you really don’t want. It’s estimated that over 100 million hosts are vulnerable to log4shell.

When there’s a zero-day, high-impact vulnerability like this, you need to react fast, assuming there’s a patch available (in this case, the Apache Foundation released one pretty quickly). However, having access to the patch is one thing. You still need to execute the patch on thousands of machines at lightning speed.


Therein lies the challenge.

How can you make sure images used in cloud are shipping with the patched version of log4j? 

It’s easier than you might think when you use the right tools. 

  • If you run stateless workloads in cloud

Use Nordcloud Klarity AutoPatcher, which parallelises the enterprise patching process of hosts ad infinitum – whether they’re on cloud, hybrid, running or not (say what?!?). You can supply any patching script and schedule windows, run patching plans in pipelines and get auditable output. 

How do I know it works? Well, Nordcloud’s managed services teams use it to patch thousands of customer machines everyday.

  • If you run immutable infrastructure and use golden images

Use Nordcloud Klarity ImageFactory, which streamlines your entire image lifecycle management with CIS-compatible hardening. It means shipping new images in Azure, AWS, GCP, IBM and VMWare has never been easier or cheaper. 

In ImageFactory, you can define an image template with your own components or use Klarity’s pre-built ones. Then, add hardening levels and get images immediately in your cloud tenants. When new security CVEs are released, Klarity rebuilds the image immediately and notifies you that a new image is ready and waiting for you.

Want a quick demo of how it all works?

I think you’ll be surprised at how easy it is to rectify issues like log4shell quickly with Nordcloud Klarity. And in situations like this, where a vulnerability is potentially a board-level concern, speed is everything, right?