Hype is endemic in the world of cybersecurity, as is the spread of fear, uncertainty, and doubt. Lots of software has flaws; they can’t all be so bad. By all accounts, though, the Log4j vulnerability—also known as Log4Shell—lives up to the hype for a host of reasons. First is the ubiquity of Log4j itself. As a logging framework, it helps developers keep track of whatever goes on inside their apps. Because it’s open source and reliable, plugging in Log4j instead of building your own logging library from scratch has become standard practice. Moreover, so much of modern software is cobbled together from various vendors and products that it may be difficult, if not impossible, for many potential victims to even know the full extent of their exposure. If your code’s innermost Matryoshka doll runs Log4j, good luck finding it.
www.wired.com/story/log4j-log4shell-vulnerability-ransomware-second-wave/