Security News > 2021 > December > New zero-day exploit for Log4j Java library is an enterprise nightmare

New zero-day exploit for Log4j Java library is an enterprise nightmare
2021-12-10 09:59

Proof-of-concept exploits for a critical zero-day vulnerability in the ubiquitous Apache Log4j Java-based logging library are currently being shared online, exposing home users and enterprises alike to remote code execution attacks.

Log4j is developed by the Apache Foundation and is widely used by both enterprise apps and cloud services.

The bug, now tracked as CVE-2021-44228, is an unauthenticated RCE vulnerability allowing complete system takeover, was reported by Alibaba Cloud's security team to Apache on November 24.

Mass scanning activity detected from multiple hosts checking for servers using Apache Log4j vulnerable to remote code execution.

"Anybody using Apache Struts is likely vulnerable. We've seen similar vulnerabilities exploited before in breaches like the 2017 Equifax data breach."

While Apache published a Log4j release candidate version three days ago, likely containing a fix for this flaw, security researchers already discovered a bypass and recommend updating to the latest RC build log4j-2.15.0-rc2.


News URL

https://www.bleepingcomputer.com/news/security/new-zero-day-exploit-for-log4j-java-library-is-an-enterprise-nightmare/