![]() Apache has released another update “version 2.16.0” which provides the fix for both the mentioned vulnerabilities. The new vulnerability can result in a Denial of Service (DOS) attack if a specially crafted packet is sent to the instance running the Log4j version 2.15. While this vulnerability was patched in versions 2.15.0-rc1 and 2.15.0-rc2, another vulnerability (CVE-2021-45046) was discovered impacting the fix. The CVE-2021-44228 was assigned to this RCE exploit. The remediation provided by Apache was to upgrade from the affected versions to version 2.15 which contained the patch and relevant configuration setting to mitigate the vulnerability. The affected versions of Log4j were between 2.0 to 2.14. The attacker sends a specially crafted HTTP request to the servers running Apache Log4j 2 (vulnerable systems) and then instructs the system to download and execute malicious payloads. Within 2 hours, attackers began the exploitation of the vulnerability and widespread internet scanning began to find vulnerable assets and instances of log4j. On December 9th, 2021, the working Proof of Concept for the RCE (Remote Code Execution) vulnerability in Apache Log4j 2 was released publicly. Apache Log4j is a Java-based logging utility that is widely used in applications around the world.
0 Comments
Leave a Reply. |