![]() ![]() The issue itself lies in the log4j API which can be crashed using a crafted variable. While this one was less severe, only sporting a CVSS base score of 5.9, the vulnerability did result in a new updated log4j version of 2.17.0. Third Log4j VulnerabilityÄecember 18, 2021, a third vulnerability was disclosed, CVE-2021-45105. ![]() To fix the issue log4j 2.16.0 has been released. ![]() The new Apache security advisory mentions that attackers can "craft malicious input data using a JNDI Lookup pattern resulting in a denial-of-service (DoS) attack,". This means if an application you were using was vulnerable to the original log4j vulnerability, you will most likely have to update it again. On December 14, 2021, a second much less critical vulnerability was found. Big names like Amazon, Apple iCloud, Cisco, Cloudflare, ElasticSearch, Red Hat, Steam, Tesla, Twitter, and more useful applications that make use of the log4j library. Due to the popularity of the log4j library, many major publishers and manufacturers have been assessing their software to determine whether it has been impacted or not. Log4j is a java-based logging package used by developers to log errors. So far iCloud, Steam, and Minecraft have all been confirmed vulnerable.- Marcus Hutchins December 10, 2021 Millions of applications use Log4j for logging, and all the attacker needs to do is get the app to log a special string. This log4j (CVE-2021-44228) vulnerability is extremely bad.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |