New zero-day exploit for Log4j Java library is an enterprise nightmare

2021-12-10 09:59

Proof-of-concept exploits for a critical zero-day vulnerability in the ubiquitous Apache Log4j Java-based logging library are currently being shared online, exposing home users and enterprises alike to remote code execution attacks.

Log4j is developed by the Apache Foundation and is widely used by both enterprise apps and cloud services.

The bug, now tracked as CVE-2021-44228, is an unauthenticated RCE vulnerability allowing complete system takeover, was reported by Alibaba Cloud's security team to Apache on November 24.

Mass scanning activity detected from multiple hosts checking for servers using Apache Log4j vulnerable to remote code execution.

"Anybody using Apache Struts is likely vulnerable. We've seen similar vulnerabilities exploited before in breaches like the 2017 Equifax data breach."

While Apache published a Log4j release candidate version three days ago, likely containing a fix for this flaw, security researchers already discovered a bypass and recommend updating to the latest RC build log4j-2.15.0-rc2.

News URL

https://www.bleepingcomputer.com/news/security/new-zero-day-exploit-for-log4j-java-library-is-an-enterprise-nightmare/

#exploit #java #log4j #zeroday #CVE-2021-44228

Related Vulnerability

DATE	CVE	VULNERABILITY TITLE	RISK
2021-12-10	CVE-2021-44228	Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. network low complexity apache siemens intel debian fedoraproject sonicwall netapp cisco snowsoftware bentley percussion apple critical	10.0

News URL

Related news

Related Vulnerability