Critical RCE Zero Day Vulnerability Found in Apache Library

By

The Log4j library has been exploited in the wild to deliver bitcoin miners.

Chen Zhaojun, from the Alibaba Cloud Security Team, recently reported to the Apache Foundation that an Apache library (Log4j) contained a vulnerability that allowed attackers to control log messages and log message parameters and execute arbitrary code loaded from LDAP servers when message substitution is enabled.

This vulnerability (CVE-2021-44228) was found in Log4j2 versions 2.14.1 and earlier and received the maximum possible CVSS score of 10.0.

The Log4j library is in wide use with enterprise Java software, so it's imperative that anyone using this upgrade to Log4j v2.15.0. 

John Hammond, a senior security researcher with Huntress, warned, “If your organization uses Apache log4j, you should upgrade to log4j-2.1.50.rc2 immediately. Be sure that your Java instance is up-to-date; however, it’s worth noting that this isn’t an across-the-board solution. You may need to wait until your vendors push security updates out for their affected products.”

Even printers and CCTV systems are at risk. A new GitHub project has been created to map out potentially affected manufacturers and components. 

This vulnerability should not be taken lightly. If you use the Log4j library, make sure you start taking steps immediately to mitigate any risk to your company, your clients, and your data.

12/14/2021

Related content

comments powered by Disqus