Severe Flaw In Java Library Sends Sysadmins Scrambling To Patch Everything

A new actively exploited vulnerability has been discovered and sysadmins around the world are scrambling to patch all the things. MalwareBytes has a very good description of this here, but here’s the highlights:

If you’re running a service that relies on Apache Struts or uses the popular Apache Log4j utility we hope you haven’t made plans for the weekend.

An exploit listed as CVE-2021-44228 was made public on December 9, 2021. The exploit is simple, easy to trigger, and can be used to perform remote code execution (RCE) in vulnerable systems, which could allow an attacker to gain full control of them. All an attacker has to do is get the affected app to log a special string. For that reason, researchers have dubbed the vulnerability “Log4Shell”.

The vulnerability has a CVSS score of 10.0 out of a possible 10. It impacts Apache Log4j versions 2.0-beta9 to 2.14.1. Mitigations are available for version 2.10 and higher.

Log4j is an open source logging library written in Java that was developed by the Apache Software Foundation. Millions of applications use it, and some of them are enormously popular—such as iCloud, Steam, and Minecraft—so the potential reach of this problem is enormous.

I can say that many companies are scrambling to patch the vulnerability via asking my friends “off the record”. I have to assume that it includes Steam and Apple as they are specifically called out as being vulnerable. That’s because it is being actively exploited. Thus making this is as non trivial as “non trivial” gets.

Yikes!

One Response to “Severe Flaw In Java Library Sends Sysadmins Scrambling To Patch Everything”

  1. […] of the rather catastrophic Log4j vulnerability that sent the planet scrambling to patch all the things last week before they were exploited by bad […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: