Security News > 2021 > December > New zero-day exploit for Log4j Java library is an enterprise nightmare
Proof-of-concept exploits for a critical zero-day vulnerability in the ubiquitous Apache Log4j Java-based logging library are currently being shared online, exposing home users and enterprises alike to remote code execution attacks.
Log4j is developed by the Apache Foundation and is widely used by both enterprise apps and cloud services.
The bug, now tracked as CVE-2021-44228, is an unauthenticated RCE vulnerability allowing complete system takeover, was reported by Alibaba Cloud's security team to Apache on November 24.
Mass scanning activity detected from multiple hosts checking for servers using Apache Log4j vulnerable to remote code execution.
"Anybody using Apache Struts is likely vulnerable. We've seen similar vulnerabilities exploited before in breaches like the 2017 Equifax data breach."
While Apache published a Log4j release candidate version three days ago, likely containing a fix for this flaw, security researchers already discovered a bypass and recommend updating to the latest RC build log4j-2.15.0-rc2.
News URL
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2021-12-10 | CVE-2021-44228 | Deserialization of Untrusted Data vulnerability in multiple products Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. network low complexity apache siemens intel debian fedoraproject sonicwall netapp cisco snowsoftware bentley percussion apple CWE-502 critical | 10.0 |