The anatomy of Log4Shell By now, we are all familiar with the fact that Log4Shell is just about as critical as a critical vulnerability can get – scoring a 10 out of 10 on the National Institute of Standards and Technology’s CVSS severity scale. As it targets a library – Apache Log4j2 – that nearly […]

The Night Sky ransomware operation started exploiting the Log4Shell flaw ( CVE-2021-44228 ) in the Log4j library to gain access to VMware Horizon systems. The ransomware gang started its operations on December 27, 2021, and has already hacked the corporate networks of two organizations from Bangladesh and Japan respectively. The gang has also set up a leak site on […]

“It’s Log4Shell, Jim,” as Commander Spock never actually said, “But not as we know it.” That’s the briefest summary we can come up with of the bug CVE-2021-42392, a security hole recently reported by researchers at software supply chain management company Jfrog. This time, the bug isn’t in Apache’s beleagured Log4j toolkit, but can be found in a […]

The Google Open Source Team scanned the Maven Central Java package repository and found that 35,863 packages (8% of the total) were using versions of the Apache Log4j library vulnerable to Log4Shell exploit and to the CVE-2021-45046 RCE. “More than 35,000 Java packages, amounting to over 8% of the Maven Central repository (the most significant Java package repository), have been impacted […]

As Christmas 2021 approaches, spare a thought for your sysamins, for your IT team, and for your cybersecurity staff. There may be plenty of mice stirring all through the IT house right up to Christmas Eve… …because that’s the deadline set by the US Cybersecurity and Infrastructure Security Agency (CISA) for patching the infamous Log4Shell vulnerability, a dangerously […]

Experts warn that threat actors are actively attempting to exploit a second bug disclosed in the popular Log4j logging library. American web infrastructure and website security company Cloudflare warns that threat actors are actively attempting to exploit a second vulnerability, tracked as CVE-2021-45046, disclosed in the Log4j library. The CVE-2021-45046 received a CVSS score of 3.7 and affects Log4j […]

New versions of Log4j The recent discovery of a second Log4j vulnerability (CVE-2021-45046) has shown that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This vulnerability could allow attackers to craft malicious input data using a JNDI Lookup pattern, resulting in a denial of service (DoS) attack. “Note […]

Maybe Log4j vulnerabilities are like rats—for every one that’s visible, multiple others scurry beneath the surface. It’s too early to tell if that’s what will happen with Log4j. But just a day or so after a damaging vulnerability was disclosed, another has come to light. This time it’s believed to be moderate in severity. “A […]

CISA adds Log4Shell Log4j flaw to the Known Exploited Vulnerabilities Catalog The U.S. CISA added 13 new vulnerabilities to the Known Exploited Vulnerabilities Catalog, including Apache Log4Shell Log4j and Fortinet FortiOS issues. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added 13 new vulnerabilities to the Known Exploited Vulnerabilities Catalog, including recently disclosed Apache Log4Shell Log4j and Fortinet FortiOS flaws. […]

Chinese security researcher p0rz9 publicly disclosed a Proof-of-concept exploit for a critical remote code execution zero-day vulnerability, tracked a CVE-2021-44228 (aka Log4Shell), in the Apache Log4j Java-based logging library. The Log4j is widely used by both enterprise apps and cloud services, including Apple iCloud and Steam. A remote, unauthenticated attacker can exploit the CVE-2021-44228 to execute arbitrary code on a vulnerable system […]