Critical Apache Log4j Vulnerability Updates

Cyber Security tips and recommendations
Post Reply
MikePeller
Site Admin
Posts: 124
Joined: Fri Dec 02, 2005 9:39 am
Location: Tucson
Contact:

Critical Apache Log4j Vulnerability Updates

Post by MikePeller »

A lot has happened in the last few weeks relating to vulnerabilities associated with the Apache Foundation's Log4j product, and because we didn't publish our Threat Intelligence Briefs over the holidays, we wanted to make sure you had access to our latest research.
Beginning on December 9th, most of the internet-connected world was forced to reckon with a critical new vulnerability discovered in the Apache Log4j framework deployed in countless servers. Officially labeled CVE-2021-44228, but colloquially known as "Log4Shell", this vulnerability is both trivial to exploit and allows for full remote code execution on a target system. This has earned the vulnerability a CVSS score of 10 - the maximum.
On December 14th, the Apache Software Foundation revealed a second Log4j vulnerability (CVE-2021-45046). It was initially identified as a Denial-of-Service (DoS) vulnerability with a CVSS score of 3.7 and moderate severity. Things went from bad to worse on December 16th due to the discovery of information leaks and the remote code execution nature of the vulnerability. This prompted Apache to update the advisory and upgrade the CVSS score for this vulnerability to 9.0.
On December 18th, a third Log4J vulnerability was discovered (CVE-2021-45105) that detailed how Apache Log4j2 does not always protect against infinite recursions in lookup evaluations. On December 19th, a "wormable" variant of the Mirai IoT malware incorporating exploit code for CVE-2021-44228 was discovered. Various chatter on OSINT channels has discussed whether this is a "worm."
This FortiGuard Labs blog describes what you need to know about the Apache Log4j vulnerabilities, including details, campaigns associated with Log4j, and an alleged "wormable" Mirai malware variant. FortiGuard Labs also delivered an in-depth webinar on our research around Log4j. An on-demand recording of that webinar, Log4j: Vulnerabilities Explained, Protections Provided, is now availalbe.
Post Reply