Critical New 0-day Vulnerability in Popular Log4j Library Discovered  with Evidence of Mass Scanning for Affected Applications

News broke early Friday morning of a serious 0-day Remote Code Execution exploit in log4j – CVE-2021-44228– the most popular java logging framework used by Java software far and wide. This type of vulnerability is especially dangerous as it can be used to run any code via your software and requires very low skills to pull off from an attacker. Log4j is near ubiquitous in Java applications, so immediate action is needed from software maintainers to patch. 

This affects anyone using log4j to perform logging, and anyone using software that uses log4 which is a large population of enterprise Java software currently available.

A similar vulnerability was used in the famous Equifax hack with devastating results. What makes this issue potentially more dangerous is the wide adoption of log4j in most of the Java ecosystem.

What is the Log4j Exploit?

Early Friday morning GMT a vulnerability Proof of Concept was published in a github repository and made public. 

It affects Apache log4j between versions 2.0 and 2.14.1 and according to some sources, only on JDK versions below 6u211, 7u201, 8u191 and 11.0.1 . Coordinated with this release, Apache published a fix to the issue.

This is a low skilled attack that is extremely simple to execute. It allows the attacker to run Arbitrary Code on any application that is vulnerable and use this capability to execute an attack. Compared to the famous 2017 Struts2 CVE that led to the Equifax vulnerability this issue is potentially more far reaching, as log4j is a far more widely adopted component.

This vulnerability affects any application that uses log4j for logging – which includes software such as Minecraft, where we’ve already seen evidence of the vulnerability being exploitable using the built-in chat functionality.  It’s (Read more...)

*** This is a Security Bloggers Network syndicated blog from Sonatype Blog authored by Ilkka Turunen. Read the original post at: https://blog.sonatype.com/a-new-0-day-log4j-vulnerability-discovered-in-the-wild

Recent Posts

Google: Zero-Day Attacks Rise, Spyware and China are Dangers

The number of zero-day vulnerabilities that are exploited jumped in 2023, with enterprises becoming a larger target and spyware vendors…

30 mins ago

GoPlus’s Latest Report Highlights How Blockchain Communities Are Leveraging Critical API Security Data To Mitigate Web3 Threats

Singapore, Singapore, March 28th, 2024, CyberwireGoPlus Labs, the leading Web3 security infrastructure provider, has unveiled a groundbreaking report that highlights…

58 mins ago

Checkmarx Aligns With Wiz to Improve Application Security

Checkmarx has integrated its platform for securing application development environments with Wiz's CNAPP.

1 hour ago

Empowering Educational Compliance: Navigating the Future with Autonomous Pentesting in Academia

How Autonomous Pentesting with NodeZero Transformed University Protection The post Empowering Educational Compliance: Navigating the Future with Autonomous Pentesting in…

2 hours ago

Cyber Risk Management: A Beginner’s Guide

With the emergence of new cybersecurity regulations like the SEC’s incident disclosure rules and the EU’s NIS2 Directive, much attention…

3 hours ago

Cybersecurity Infrastructure Investment Crashes and Burns Without Governance

Just like pilot awareness is crucial during unexpected aviation events, cybersecurity's traditional focus on infrastructure needs to shift to more…

3 hours ago