Log4j 2 is an open-source Java logging library developed by the Apache Foundation. Chen Zhaojun of Alibaba Cloud Security Team discovered a vulnerability that impacts Apache Log4j 2 versions 2.0 to 2.14. 1.
The vulnerability allows for unauthenticated remote code execution.
And that problem ruined the holiday’s plans of the infosec teams.
On December 9, Apache released details on the critical vulnerability in Log4j, rated 10 out of 10 on the Common Vulnerability Scoring System (CVSS).
On December 10, UK NCSC issues Log4j warning to UK organizations, urging them to update both internet-facing and non-internet-facing software.
On December 14, a second Log4j vulnerability carrying a denial-of-service threat was detected.
A new patch was released after that. On December 17 a third Log4j vulnerability was revealed, and a new fix was made available.
On December 20, Log4j was exploited to install Dridex and Meterpreter. Dridex steals bank credentials via a system that uses macros from Microsoft Word, while Meterpreter is a Metasploit attack payload that affects Linux OS.
Security professionals say that the latest vulnerability in Apache Log4j does not pose an increased security risk for the majority of organizations. Therefore, it should not be necessary to immediately patch to version 2.17.1.
Read also: Organizations in LatAm are worried about cyber attacks