Java Log4j Vulnerability
Last updated on January 9, 2022 by Cyber Defense Trends
The log4j vulnerability is a zero day vulnerability, which means that the day that it is made public that there is a vulnerability, anyone with the skills can look for
software that is vulnerable, and take advantage of that to cause harm.
First made public in December 2021, the effects of the log4j vulnerability are still ongoing. There are so many software applications that use log4j that any vendor that does so
is potentially open for an attack until they close off the vulnerability.
Log4j refers to java code that is used for logging within software applications. Logging provides the ability to read through the behavior of a software application
and is often used for debugging. Most software application include some kind of logging, and rather than every software developer writing their own code to write logs,
using the existing log4j logging saves them time, and also ensures that there is consistency in the way software applications do their logging.
The initial log4j vulnerability, found in December, and was made public as CVE-2021-44228.
This was the original log4j vulnerability, found in December 2021. Known also as Log4Shell, this vulnerability was documented, as it allowed for the
ability to perform remote code execution, or being able to see information that should not be accessible. It was a vulnerability in
Apache Log4j versions 2.0-beta9 to 2.14.1. All software applications using these versions of log4j must be upgraded, preferably to version 2.17 or later.
This vulnerability was present in versions 2.0-beta9 to 2.15.0, (although not in 2.12.2) and allowed for the possibility
of a denial of service attack, as well as remote code execution and the ability to see information that should not be accessible.
Upgrading log4j is recommended, and due to issues (below) with 2.16, upgrades should use version 2.17 or later
Affecting log4j versions 2.0-beta9 to 2.16.0, this vulnerability allowed for the possibility of a denial of service attack when log4j was configured in some cases.
Upgrading to version 2.17 addresses this vulnerability.