Security News > 2022 > February > ‘Long Live Log4Shell’: CVE-2021-44228 Not Dead Yet
Jen Easterly, the director of the Cybersecurity and Infrastructure Security Agency, stated in a public news interview that the now-infamous Log4j flaw is the "The most serious vulnerability that [she has] seen in her career." It's not a stretch to say the whole security industry would agree.
You all probably already know- on December 9, a remote code execution vulnerability was uncovered in the programming library named Log4j, which is nearly ubiquitous in Java applications and software used all across the internet.
Keeping up with the amount of information on the Log4shell vulnerability felt like drinking from a firehose.
Thanks to the initial access vector from the Log4j vulnerability in the VMware Horizon server, the operator runs commands under the context of the "NT AUTHORITYSYSTEM" user: the absolute owner and administrator of the device.
The CVE-2021-44228 Log4j vulnerability offers initial access, which means hackers can then perform all the disruption, degradation and potential destruction they wish.
While the cybersecurity industry moves through the beginning of 2022, the Log4j nightmare is just another incident that makes us want to say goodbye and good riddance to 2021.
News URL
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2021-12-10 | CVE-2021-44228 | Deserialization of Untrusted Data vulnerability in multiple products Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. network low complexity apache siemens intel debian fedoraproject sonicwall netapp cisco snowsoftware bentley percussion apple CWE-502 critical | 10.0 |