Log4j vulnerability

                                             Copyright infringement is not intended

What is Log4j?

• It is a widely used software logging library for Java software.
• Recently, it was exposed by the Apache foundation for having serious security vulnerabilities.
• An attacker exploiting the vulnerability could potentially execute arbitrary, malicious code on an affected system.
• To rectify this breach, the Apache Foundation released patches for various software projects using vulnerable versions of the Log4j library.

How does Log4j vulnerability work?

How bad is the vulnerability?

• It affects a component of the library meant to allow for the insertion of arbitrary system and Java environment variables within software logs.
• An attacker exploiting the vulnerability could potentially execute arbitrary, malicious code on an affected system.
• The vulnerability presents a large attack surface particularly due to the ubiquitous use of the Log4j library in Java software.

What is a zero-day vulnerability and is log4j one of this kind?

• A 0day (or zero-day vulnerability) refers to a security flaw which has not been publicly disclosed and for which a software patch or remediation technique is not available.
• Considering that attempts at exploiting Log4Shell were observed at least a week prior to it being publicly disclosed, it could be said that it was a 0day vulnerability, however, only for a very brief period.

https://www.thehindu.com/sci-tech/technology/internet/the-log4j-vulnerability/article38053462.ece?homepage=true