Security News > 2021 > December > Log4Shell vulnerability Number Four: “Much ado about something”
Only to return to the fray this week and find that the Apache Log2j team just put out the fourth patch in what you might call the Log4Shell Vulnerability Saga.
Apache rapidly publishes Log4j 2.15.0, fixing the primary security hole.
Apache Log4j2 versions 2.0-beta7 through 2.17.0 are vulnerable to a remote code execution attack where an attacker with permission to modify the logging configuration file can construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute remote code.
If you inherited Log4j without even realising it, as part of the Java "Supply chain", and could readily replace it with something much simpler and less feature-rich, we think that would be a wise choice.
We're going to suggest, once again, that if you have found Log4j in your ecosystem recently, especially on servers where you didn't even know it was there, that you should ask yourself the question, "Do I genuinely need a multi-megabyte logging toolkit consisting of close to half a million lines of source code, or would something much more modest and easier to review do at least as well?".
That's not a criticism of Apache; it's merely a reminder that inherited security problems such as Log4Shell are often the unexpected side-effect of a cybersecurity decision made years ago by someone from outside your company whom you've never met, and never will.