Millions of Java Apps Remain Vulnerable to Log4Shell

upnorth

upnorth

Moderator
Thread author
Verified
Staff Member
Malware Hunter
Well-known
Jul 27, 2015
5,459
Content source
https://threatpost.com/java-apps-vulnerable-log4shell/179397/
Four months after the discovery of the zero-day Log4Shell critical flaw, millions of Java applications still remain vulnerable to compromise, researchers have found.

Researchers at security firm Rezilion analyzed the current potential attack surface for the vulnerability in the popular open-source Apache Log4j framework that threatened to break the internet when it was discovered in December. The flaw in the ubiquitous Java logging library Apache Log4j is easily exploitable and can allow unauthenticated remote code execution (RCE) and complete server takeover. Rezilion expected that due to the “massive amount of media coverage” the bug unsurprisingly received, the majority of applications would already be patched, Head of Vulnerability Research Yotam Perkal wrote in a report published Tuesday. However, their analysis found a very different story, he said. “We learned that the landscape is far from ideal and many applications vulnerable to Log4Shell still exist in the wild,” Perkal wrote in the report.
Click to expand...
many applications are still using Log4J version 1.x and likely aren’t patched because the original Log4Shell vulnerability, tracked as CVE-201-44228, doesn’t apply to this version, researchers noted. However, this is a misconception as that version has been “in an end-of-life state since August 2015 (which means it does not get any security updates), and contains plenty of other vulnerabilities, including RCE vulnerabilities, Perkal noted. “This should definitely worry organizations that are still using it,” he wrote.
Click to expand...
Perhaps most worrying about the vulnerable attack surface is that Log4Shell remains a hot target for threat actors, researchers noted. Indeed, attackers immediately set upon the bug once it was discovered—already under active exploitation—and haven’t let up much since. While Apache released a patch for Log4Shell within a day of discovery, it, too, had issues that could lead to DoS attacks—and apparently still hasn’t been applied in many cases.
Click to expand...
threatpost.com

Millions of Java Apps Remain Vulnerable to Log4Shell

Four months after the critical flaw was discovered, attackers have a massive attack surface from which they can exploit the flaw and take over systems, researchers found.
threatpost.com threatpost.com
 
  • Like
  • Wow
  • +Reputation
Reactions: Gandalf_The_Grey, Deletedmessiah, Brahman and 3 others
You must log in or register to reply here.

Similar threads

silversurfer
    • +Reputation
    • Like
Crypto Opinions & News 'Randstorm' Vulnerability: Millions of Crypto Wallets Open to Theft
Replies
0
Views
510
Crypto News
silversurfer
silversurfer
upnorth
    • Like
Researchers Keep a Wary Eye on Critical New Vulnerability in Apache Commons Text
Replies
0
Views
454
News Archive
upnorth
upnorth
Gandalf_The_Grey
    • Like
    • +Reputation
D-Link WiFi range extender vulnerable to command injection attacks
Replies
0
Views
1,158
News Archive
Gandalf_The_Grey
Gandalf_The_Grey

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top