It affects Apache Struts, Apache Solr, Apache Druid, Elasticsearch, Apache Dubbo, and VMware vCenter. It was first reported privately to Apache on November 24 and was patched with version 2.15.0 of Log4j on December 9. The vulnerability, which can allow an attacker to execute arbitrary code by sending crafted log messages, has been identified as CVE-2021-44228 and given the name Log4Shell. Read more about it in our latest blog Are Endpoints at Risk for Log4Shell Attacks?Ī vulnerability in Apache Log4j, a widely used logging package for Java has been found. Update as of Dec 18, 2021: We have created a tool that scans for Log4j vulnerabilities on servers and endpoints. 19, 2021: Our researchers at Zero Day Initiative published a great analysis on the Log4j vulnerability CVE-2021-45105 that causes denial of service. Update as of Dec 22, 2021: The Impact section has been updated with information on the various payloads discovered after the start of the Log4Shell attacks. Update as of Dec 28, 2021: The latest Log4j vulnerability, CVE-2021-44832, has now been addressed in the Log4j 2.17.1 release.
0 Comments
Leave a Reply. |