Security News > 2021 > December > New zero-day exploit for Log4j Java library is an enterprise nightmare
Proof-of-concept exploits for a critical zero-day vulnerability in the ubiquitous Apache Log4j Java-based logging library are currently being shared online, exposing home users and enterprises alike to remote code execution attacks.
Log4j is developed by the Apache Foundation and is widely used by both enterprise apps and cloud services.
The bug, now tracked as CVE-2021-44228, is an unauthenticated RCE vulnerability allowing complete system takeover, was reported by Alibaba Cloud's security team to Apache on November 24.
Mass scanning activity detected from multiple hosts checking for servers using Apache Log4j vulnerable to remote code execution.
"Anybody using Apache Struts is likely vulnerable. We've seen similar vulnerabilities exploited before in breaches like the 2017 Equifax data breach."
While Apache published a Log4j release candidate version three days ago, likely containing a fix for this flaw, security researchers already discovered a bypass and recommend updating to the latest RC build log4j-2.15.0-rc2.
News URL
Related news
- APTs have been using zero-day Windows shortcut exploit for eight years (ZDI-CAN-25373) (source)
- Zero-Day Alert: Google Releases Chrome Patch for Exploit Used in Russian Espionage Attacks (source)
- EncryptHub Exploits Windows Zero-Day to Deploy Rhadamanthys and StealC Malware (source)
- PipeMagic Trojan Exploits Windows Zero-Day Vulnerability to Deploy Ransomware (source)
- ⚡ Weekly Recap: iOS Zero-Days, 4Chan Breach, NTLM Exploits, WhatsApp Spyware & More (source)
- Craft CMS RCE exploit chain used in zero-day attacks to steal data (source)
- Enterprise tech dominates zero-day exploits with no signs of slowdown (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2021-12-10 | CVE-2021-44228 | Deserialization of Untrusted Data vulnerability in multiple products Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. network low complexity siemens apache intel debian fedoraproject sonicwall netapp cisco snowsoftware bentley percussion apple CWE-502 critical | 10.0 |