CyberSec Roundup
A synopsis of the Latest Cybersecurity News

The Log4j Headache

A year ago, almost to the day, we discussed the Solarwinds hack, which was rocking the cybersecurity landscape at the time. Sadly, this Christmas we are discussing the very serious Log4j vulnerabilities, which are also causing major headaches.

1st Vulnerability 

The vulnerability (tracked as CVE-2021-44228) in the Apache software allows unauthenticated attackers to gain control of a server by taking advantage of the vulnerability in Log4j logging utility. Apache released patch version 2.15 to address this, however they subsequently realized there was another problem.

2nd Vulnerability 

Apache discovered a new vulnerability, tracked as CVE 2021-45046, which could allow attackers to perform denial-of-service attacks by crafting malicious input data using a JNDI Lookup pattern. Patch version 2.16 was released to also provide coverage from this type of attack, but then another issue was discovered.

3rd Vulnerability 

Apache disclosed that denial-of-service attacks were still possible as the previous patch did not offer protection from infinite recursion in lookup evaluation. Patch version 2.17 was released to address this vulnerability tracked as CVE-2021-45105.

Business Impact

The impact of the Log4j vulnerabilities has been tremendous, as the component is present in many applications, so most organizations need to do some form of patching or they are using an application from a vendor that needs to be patched. Attackers are also scanning for vulnerable servers and using the vulnerability to deploy ransomware. It is possible more vulnerabilities may be discovered and more patches could be needed, so it will be another busy Christmas for cybersecurity professionals.

By: David Pinder
IT & Security Consultant
Certified Ethical Hacker (Master)