It is the most widely used logging framework in the Java ecosystem. “This new Log4j vulnerability is likely going to be another “flashbulb memory” event in the timeline of significant vulnerabilities. Organizations using Log4j in their software should upgrade it to the latest 2.15 version immediately which is available from Maven Central.ĬTO of Sonatype, Brian Fox provided further insight on the Log4j vulnerability and the potential impact it could have worldwide in an email to TechRadar Pro, saying: Just like with other remote code execution attacks in the past, there is also strong evidence that hackers and other cybercriminals have begun to mass scan the internet for applications in which this vulnerability has yet to be patched. This vulnerability affects any application that uses Log4j for logging including popular games such as Minecraft where Sonatype has already seen evidence of it being exploited using its built-in chat functionality. Thankfully though, Apache has published a fix to the issue but now software makers will still need to install it to protect their customers. The vulnerability affects Apache Log4j between versions 2.0 and 2.141 and at the time of writing, there have already been reports of it being successfully exploited on some Java 11 runtimes. Log4j exploitĪccording to a new blog post from Sonatype, news of the Log4j exploit broke when a vulnerability Proof of Concept (PoC) was published in a GitHub repository and made public. This new exploit could end up being even more dangerous though as Log4j has been widely adopted in most of the Java ecosystem. To put this vulnerability into context, a similar one was used in the 2017 hack of Equifax which led to the personal data of 149.7m people being exposed online.
Since Apache’s Log4j is almost ubiquitous in Java applications, immediate action is required by software maintainers who will need to patch it to prevent falling victim to any potential attacks. Tracked as CVE-2021-44228, this type of vulnerability is especially dangerous as it can be exploited to run any code and requires very low skills for an attacker to pull off. A new zero-day vulnerability in the popular Java logging framework Log4j has been discovered which has the potential to affect Minecraft, iCloud, Steam and numerous other software products that use Java in their code.
0 kommentar(er)
