CTM Insights Managing Partner Lou Steinberg in The CyberWire

Log4shell: exploitation and remediation.

Die Zeit, in a long and glum piece on the implications of the Log4shell vulnerability, points out that the term “affected” can be ambiguous, particularly when it appears in phrases like “not affected.” (“Was ‘betroffen’ in den konkreten Fällen heißt, ist nicht immer klar.”) What counts as “affected?” It’s not necessarily synonymous with “attacked,” “breached,” or even “vulnerable.” If you’ve had to devote time and resources to inventorying your software for a specific vulnerability, there’s a sense in which you’ve “been affected,” even if at the end of it all you’ve found nothing. In any case, remediation and defense remain a long and complicated slog.

Read more here.