Security News > 2022 > January > How Can You Leave Log4J in 2021?

With the last month of 2021 dominated by the log4J vulnerabilities discovery, publication, and patches popping up in rapid succession, odds are you have patched your system against Log4J exploitation attempts.

3 - The odds of missing at least one instance of Log4J are high: All version of Log4J from the September 2013 V2.0-beta9 onwards carry those vulnerabilities.

As all Java files, Log4J can nested a few layers deep into other files, and can easily be missed when frenetically applying patches, and, to make matters worse, Log4J is extremely popular, with a reported 80% of Java affected packages that cannot be updated directly and require coordination between different project teams to effectively patch.

Running Log4J updated vulnerability scanners is a good starting point but no single scanner can spot all the indirect or transitive Log4J dependencies, especially when it gets pulled in as a transitive dependency that lacks an explicit definition of Log4J. Scanners' Log4J blind spots mean that validating the efficiency of the patching process through offensive testing is a non-optional necessity.

Using these offensive testing techniques, some clients effectively detected supply chain induced Log4J vulnerabilities before the supplier had published a patch.

To avoid the risks stemming from the deadly combination of acute stress, frantic patching cycle and hidden instances, whether for Log4J or the next big one - and even small one - it pays to tun continuous validation that not only scan for vulnerabilities but also safely tests if production-safe payload were effectively detected and stopped, and thoroughly assesses the effectiveness of your security policies and controls pre- and post-patching.

News URL

https://thehackernews.com/2022/01/how-can-you-leave-log4j-in-2021.html