Free Courses Sale ends Soon, Get It Now


Log4j vulnerability

29th December, 2021

                                          

                                             Copyright infringement is not intended

What is Log4j?

  • It is a widely used software logging library for Java software.
  • Recently, it was exposed by the Apache foundation for having serious security vulnerabilities.
  • An attacker exploiting the vulnerability could potentially execute arbitrary, malicious code on an affected system.
  • To rectify this breach, the Apache Foundation released patches for various software projects using vulnerable versions of the Log4j library.

 

How does Log4j vulnerability work?

How bad is the vulnerability?

  • It affects a component of the library meant to allow for the insertion of arbitrary system and Java environment variables within software logs.
  • An attacker exploiting the vulnerability could potentially execute arbitrary, malicious code on an affected system.
  • The vulnerability presents a large attack surface particularly due to the ubiquitous use of the Log4j library in Java software.

 

What is a zero-day vulnerability and is log4j one of this kind?

  • A 0day (or zero-day vulnerability) refers to a security flaw which has not been publicly disclosed and for which a software patch or remediation technique is not available.
  • Considering that attempts at exploiting Log4Shell were observed at least a week prior to it being publicly disclosed, it could be said that it was a 0day vulnerability, however, only for a very brief period.

 

https://www.thehindu.com/sci-tech/technology/internet/the-log4j-vulnerability/article38053462.ece?homepage=true