Security News

There's an enormous amount of software vulnerable to the Log4j bug through Java software supply chains - and administrators and security pros likely don't even know where to look for it. About 17,000 Java packages in the Maven Central repository, the most significant collection of Java packages available to developers, are vulnerable to Log4j - and it will likely take "Years" for it to be fixed across the ecosystem, according to Google security.

The Belgian Ministry of Defence has suffered a cyber attack after miscreants exploited one of the vulnerabilities in Log4j. The attack marks the first occasion that a NATO country's defence ministry has fallen victim to the flaws.

Threat actors now exploit the critical Apache Log4j vulnerability named Log4Shell to infect vulnerable devices with the notorious Dridex banking trojan or Meterpreter. The Dridex malware is a banking trojan originally developed to steal online banking credentials from victims.

No, you're not seeing triple: On Friday, Apache released yet another patch - version 2.17 - for yet another flaw in the ubiquitous log4j logging library, this time for a DoS bug. The latest bug isn't a variant of the Log4Shell remote-code execution bug that's plagued IT teams since Dec. 10, coming under active attack worldwide within hours of its public disclosure, spawning even nastier mutations and leading to the potential for denial-of-service in Apache's initial patch.

The Apache Log4j saga continues, as several new vulnerabilities have been discovered in the popular library since Log4Shell was fixed by releasing Log4j v2.15.0. There is going to be continued focus on log4j vulns for some time.

The Apache Software Foundation has revealed a third bug in its Log4 Java-based open-source logging library Log4j. CVE-2021-45105 is a 7.5/10-rated infinite recursion bug that was present in Log4j2 versions 2.0-alpha1 through 2.16.0.

Cybersecurity researchers have discovered an entirely new attack vector that enables adversaries to exploit the Log4Shell vulnerability on servers locally by using a JavaScript WebSocket connection. "This newly-discovered attack vector means that anyone with a vulnerable Log4j version on their machine or local private network can browse a website and potentially trigger the vulnerability," Matthew Warner, CTO of Blumira, said.

The issues with Log4j continued to stack up as the Apache Software Foundation on Friday rolled out yet another patch for the widely used logging library that could be exploited by malicious actors to stage a denial-of-service attack. Tracked as CVE-2021-45105, the new vulnerability affects all versions of the tool from 2.0-beta9 to 2.16.0, which the open-source nonprofit shipped earlier this week to remediate a second flaw that could result in remote code execution, which, in turn, stemmed from an "Incomplete" fix for CVE-2021-44228, otherwise called the Log4Shell vulnerability.

Suspicion of a DoS bug affecting log4j 2.16.0 arose on Apache's JIRA project about three days ago, shortly after 2.15.0 was found to be vulnerable to a minor DoS vulnerability. Log4j 2.17.0 out today, fixes DoS. Tracked as CVE-2021-45105, and scored 'High' on the CVSS scale, the DoS flaw exists as log4j 2.16 "Does not always protect from infinite recursion in lookup evaluation."

The Apache Software Foundation has pushed out a new fix for the Log4j logging utility after the previous patch for the recently disclosed Log4Shell exploit was deemed as "Incomplete in certain non-default configurations." The second vulnerability - tracked as CVE-2021-45046 - is rated 3.7 out of a maximum of 10 on the CVSS rating system and affects all versions of Log4j from 2.0-beta9 through 2.12.1 and 2.13.0 through 2.15.0, which the project maintainers shipped last week to address a critical remote code execution vulnerability that could be abused to infiltrate and take over systems.