Java Log4j Vulnerability

Last updated on January 9, 2022 by Cyber Defense Trends

The log4j vulnerability is a zero day vulnerability, which means that the day that it is made public that there is a vulnerability, anyone with the skills can look for software that is vulnerable, and take advantage of that to cause harm.

First made public in December 2021, the effects of the log4j vulnerability are still ongoing. There are so many software applications that use log4j that any vendor that does so is potentially open for an attack until they close off the vulnerability.

Log4j refers to java code that is used for logging within software applications. Logging provides the ability to read through the behavior of a software application and is often used for debugging. Most software application include some kind of logging, and rather than every software developer writing their own code to write logs, using the existing log4j logging saves them time, and also ensures that there is consistency in the way software applications do their logging.

The initial log4j vulnerability, found in December, and was made public as CVE-2021-44228.

This was the original log4j vulnerability, found in December 2021. Known also as Log4Shell, this vulnerability was documented, as it allowed for the ability to perform remote code execution, or being able to see information that should not be accessible. It was a vulnerability in Apache Log4j versions 2.0-beta9 to 2.14.1. All software applications using these versions of log4j must be upgraded, preferably to version 2.17 or later.

This vulnerability was present in versions 2.0-beta9 to 2.15.0, (although not in 2.12.2) and allowed for the possibility of a denial of service attack, as well as remote code execution and the ability to see information that should not be accessible. Upgrading log4j is recommended, and due to issues (below) with 2.16, upgrades should use version 2.17 or later

Affecting log4j versions 2.0-beta9 to 2.16.0, this vulnerability allowed for the possibility of a denial of service attack when log4j was configured in some cases. Upgrading to version 2.17 addresses this vulnerability.

Copyright © 2018 to 2022 Cyber Defense Trends

PRIVACY No personal data shared through this site will ever be disclosed or shared to any third party. We welcome guest posts and feedback.