Security News > 2021 > December > Log4Shell: A new fix, details of active attacks, and risk mitigation recommendations
Due to the extraordinary widespread use of the open-source Apache Log4j library, the saga of the Log4Shell vulnerability is nowhere near finished.
The recent discovery of a second Log4j vulnerability has shown that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations.
Through its agentless device security platform, Armis has detected Log4Shell attack attempts in over a third of their clients, and are continuing to see new attacks every day.
Log4J is an extremely basic library that allows log writing in Java applications.
The way CVE-2021-44228 affects comes in 3 layers - cloud products that directly use the Log4J, web applications that use libraries that use Log4J, and off-the-shelf software which is internally deployed on customer servers and endpoints," says Michael Assraf, CEO at Vicarius.
"As fixing and deploying cloud applications can be fast, updating libraries that use Log4J can break functionality unless done with caution.
News URL
https://www.helpnetsecurity.com/2021/12/15/log4shell-mitigation/
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2021-12-10 | CVE-2021-44228 | Deserialization of Untrusted Data vulnerability in multiple products Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. network low complexity apache siemens intel debian fedoraproject sonicwall netapp cisco snowsoftware bentley percussion apple CWE-502 critical | 10.0 |