Upon discovery, it was a massive concern, because the ubiquitous nature of Log4j meant it was (and is) embedded in a vast array of applications, services and enterprise software tools that are written in Java and used by organizations and individuals around the world.
Such was the danger posed by Log4j that the National Institute of Standards and Technology (NIST) gave the vulnerability a Common Vulnerability Scoring System (CVSS) score of 10 – classing it as a highly severe, critical vulnerability – and within hours of disclosure, it was being exploited by cyber criminals.
Just last month – almost a year on from the initial disclosure – CISA and the FBI put out a security alert, warning that if organizations hadn't yet patched or mitigated Log4j vulnerabilities, they should assume their network is compromised and act accordingly.
The alert came after an investigation into a cyberattack against what CISA and the FBI describe as a 'federal civilian executive branch' organization. If a government body can't plug the security holes correctly, then what chances do other organizations have?
That means organizations can't just ignore vulnerabilities and issues and hope they just go away. Fixing these issues is a challenge, but taking notice of security alerts and warnings to ensure your network is protected is an absolute must.
It's just one of the reasons why the responsible thing for organizations of any size to do is to provide the budget for a suitably sized information security team, which can help detect and mitigate threats before they affect your business and its customers.
ZDNET'S MONDAY OPENER
ZDNET's Monday Opener is our opening take on the week in tech, written by members of our editorial team.