Articles about Apache Log4j

It can seem like securing systems is all about new threats and zero-day issues. But research from exposure management platform CyCognito shows that older issues can still be a problem.

It shows two percent of organizations have assets still vulnerable to Log4j. What's more over 50 percent of attempted patches require multiple rounds of validation before the patch is successful, often because of incomplete or inaccurately followed remediation instructions -- effectively prolonging the exposure window.

Continue reading →

Two years ago, the zero-day vulnerability, known as Log4Shell unwrapped itself spoiling holiday celebrations for many across the globe leaving organizations scrambling for a fix before it could be exploited. 

The vulnerability was discovered in Log4j, a widely used logging tool used by millions of computers worldwide running online services.  Its profound impact on IT environments has called for a fundamental shift in how organizations think about their security strategies.

Continue reading →

The Log4j or Log4Shell vulnerability first hit the news in December 2021 sending ripples through the cybersecurity world. So you might be forgiven for thinking that it's safe to assume it's no longer a threat. However, one year on it seems that this is a vulnerability that keeps on being, well… vulnerable.

New research from Tenable, based on data collected from over 500 million tests, shows that 72 percent of organizations remain vulnerable to Log4Shell as of October this year.

Continue reading →

The Log4j vulnerability first hit the headlines in December last year. Since then we've heard less about it, but it hasn't gone away, like most vulnerabilities it has a long tail.

A recent report from the Cybersecurity Safety Review Board takes a comprehensive look at the vulnerability and what can be learned from it.

Continue reading →

The Log4Shell vulnerability proved to be one of the major cybersecurity events of last year and its repercussions continue to rumble on.

Research from network security platform Valtix shows 95 percent of IT leaders say Log4Shell was a wake up call for cloud security, changing it permanently, and 87 percent feel less confident about their cloud security now than they did before the incident.

Continue reading →

It's now over three months since the Log4Shell vulnerability, affecting the Log4j logging framework, first appeared.

But new research from Randori shows that it's still giving headaches to enterprises and identifies the top 10 attackable targets.

Continue reading →

Since the Log4Shell attack targeting a log4j vulnerability was first uncovered towards the end of last year it's posed a threat to web servers worldwide.

It's a tricky problem to address because doing so means updating software dependencies. Meanwhile attackers are seeking to inject text into log messages or log message parameters, then into server logs which can then load code from a remote server for malicious use, using obfuscation techniques to hide from security software.

Continue reading →

At the end of November a vulnerability targeting Minecraft servers was uncovered. If you don't play Minecraft you probably didn't pay it much attention.

Since then, however, 'Log4Shell' has surged across the web sending tremors through the security community and prompting the US government to describe it as a 'severe risk'. So, what's going on and is it time to panic?

Continue reading →

If you are running a version of Apache Log4j between 2.0-beta9 to 2.14.1 (inclusive) the Log4Shell vulnerability is something you need to be aware off. Tracked as CVE-2021-44228, this is a serious and easily exploited RCE flaw in the open-source Java-based logging utility.

An attacker can exploit the security flaw to execute a remote attack by simply using a particular string as the browser user agent. Although the Apache Software Foundation has released a patched version of Log4j 2.15.0, not everyone is able to update straight away, and this is something that attackers are taking advantage of. Thankfully, security firm Cybereason has released a "vaccine" called Logout4Shell that protects against Log4Shell.

Continue reading →