Security News > 2021 > December > Zero Day in Ubiquitous Apache Log4j Tool Under Active Attack
An excruciating, easily exploited flaw in the ubiquitous Java logging library Apache Log4j could allow unauthenticated remote code execution and complete server takeover - and it's being exploited in the wild.
New #0-day vulnerability tracked under "Log4Shell" and CVE-2021-44228 discovered in Apache Log4j We are observing attacks in our honeypot infrastructure coming from the TOR network.
This problem is going to cause a mini-internet meltdown, experts said, given that Log4j is incorporated into scads of popular frameworks, including Apache Struts2, Apache Solr, Apache Druid and Apache Flink.
It's been assigned the maximum CVSS score of 10, given how relatively easy it is to exploit, attackers' ability to seize control of targeted servers and the ubiquity of Log4j.
The security firm said that affected versions are 2.0 <= Apache log4j <= 2.14.1.
To keep the library from being exploited, it's urgently recommended that Log4j versions are upgraded to log4j-2.15.0-rc1.
News URL
https://threatpost.com/zero-day-in-ubiquitous-apache-log4j-tool-under-active-attack/176937/
Related news
- Microsoft fixes two Windows zero-days exploited in malware attacks (source)
- Zero-Day Alert: Critical Palo Alto Networks PAN-OS Flaw Under Active Attack (source)
- Palo Alto Networks warns of PAN-OS firewall zero-day used in attacks (source)
- Hackers Deploy Python Backdoor in Palo Alto Zero-Day Attack (source)
- Week in review: Palo Alto Networks firewalls under attack, Microsoft patches two exploited zero-days (source)
- Critical Update: CrushFTP Zero-Day Flaw Exploited in Targeted Attacks (source)
- Apache Cordova App Harness Targeted in Dependency Confusion Attack (source)
- Google fixes fifth Chrome zero-day exploited in attacks this year (source)
- Apple backports fix for zero-day exploited in attacks to older iPhones (source)
- Microsoft fixes Windows zero-day exploited in QakBot malware attacks (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2021-12-10 | CVE-2021-44228 | Deserialization of Untrusted Data vulnerability in multiple products Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. network low complexity apache siemens intel debian fedoraproject sonicwall netapp cisco snowsoftware bentley percussion CWE-502 critical | 10.0 |