Security news aggregator

Latest coverage for Log4j

Log4j is a Java logging library whose vulnerabilities, including Log4Shell, can let attackers execute code through dependent applications.

73 headlines in this view

Refine the feed

Search across headline titles and summaries.

Tag briefing

Background for this topic.

Apache Log4j is a Java library that records application events, such as errors and user activity, to files, consoles, or other destinations. Log4j 2 is distinct from the older Log4j 1.x branch, and both may appear directly or as transitive dependencies inside larger applications and products.

Security attention centers on Log4Shell (CVE-2021-44228), a flaw in Log4j 2’s JNDI lookup processing. When an application logged attacker-controlled text, a vulnerable configuration could contact an attacker-controlled service and potentially execute code. Effective defense requires identifying bundled and indirect Log4j copies, upgrading to a supported fixed release, and treating exposed applications as potential attack surfaces. Monitoring application and network logs for exploit attempts, followed by focused compromise assessment where vulnerable systems were reachable, remains important because patching alone does not establish whether exploitation occurred.

Volume over time

Weekly headline count for the current query.

Showing 20 most recent headlines of 73
Bank Info Security 2 years, 5 months ago

FritzFrog Botnet Exploits Log4Shell

Botnet Looks for Vulnerable Internal Network MachinesDelivering more proof that the Log4Shell vulnerability is endemic, Akamai researchers detected botnet malware updated to use the flaw as an infection vector. Log4Shell burst into public awareness in late 2021 when security researchers identified a flaw in the ubiquitous Apache Log4J 2 Java library.

Lack of awareness still blamed for patching apathy despite it being among most infamous bugs of all time Two years after the Log4Shell vulnerability in the open source Java-based Log4j logging utility was disclosed, circa one in four applications are dependent on outdated libraries, leaving them open to exploitation.…

The notorious North Korea-linked threat actor known as the Lazarus Group has been attributed to a new global campaign that involves the opportunistic exploitation of security flaws in Log4j to deploy previously undocumented remote access trojans (RATs) on compromised hosts

Roughly 38% of applications using the Apache Log4j library are using a version vulnerable to security issues, including Log4Shell, a critical vulnerability identified as CVE-2021-44228 that carries the maximum severity rating, despite patches being available for more than two years. [...]

Accept there are some risks you don’t control but which nonetheless you can’t ignore Sponsored Feature Friday the 10 of December 2021 is etched in the memory of many IT professionals, but not for reasons they will look back on with fondness. That was the day, just as most American workers were logging off for a long weekend, when a critical vulnerability in an obscure but essential piece of software code first came to widespread attention.…

The Register 3 years, 6 months ago

It’s time to fill those cloud security gaps

Here’s how Wiz can help Sponsored Feature When software vulnerabilities and zero days moved up the enterprise worry list 15 years ago, nobody imagined the world would one day end up with a threat as perplexing as Log4Shell – a vulnerability in the Apache Log4j open source logging framework that's used in software on all major operating systems spanning everything from cloud services to PC games.…

It's the gift to cybercriminals that keeps on giving Iranian state-sponsored cyber criminals used an unpatched Log4j flaw to break into a US government network, illegally mine for cryptocurrency, steal credentials and change passwords, and then snoop around undetected for several months, according to CISA.…

Loading more headlines...