Security news aggregator

Latest coverage for Log4j

Log4j is a Java logging library whose vulnerabilities, including Log4Shell, can let attackers execute code through dependent applications.

9 headlines in this view

Refine the feed

Search across headline titles and summaries.

Tag briefing

Background for this topic.

Apache Log4j is a Java library that records application events, such as errors and user activity, to files, consoles, or other destinations. Log4j 2 is distinct from the older Log4j 1.x branch, and both may appear directly or as transitive dependencies inside larger applications and products.

Security attention centers on Log4Shell (CVE-2021-44228), a flaw in Log4j 2’s JNDI lookup processing. When an application logged attacker-controlled text, a vulnerable configuration could contact an attacker-controlled service and potentially execute code. Effective defense requires identifying bundled and indirect Log4j copies, upgrading to a supported fixed release, and treating exposed applications as potential attack surfaces. Monitoring application and network logs for exploit attempts, followed by focused compromise assessment where vulnerable systems were reachable, remains important because patching alone does not establish whether exploitation occurred.

Volume over time

Weekly headline count for the current query.

Showing 9 most recent headlines Filtered view

The "hotpatch" released by Amazon Web Services (AWS) in response to the Log4Shell vulnerabilities could be leveraged for container escape and privilege escalation, allowing an attacker to seize control of the underlying host

Most security practitioners are now aware of the Log4Shell vulnerability discovered toward the end of 2021. No one knows how long the vulnerability existed before it was discovered. The past couple of months have had security teams scrambling to patch the Log4Shell vulnerability found in Apache Log4j, a Java library widely used to log error messages in applications. Beyond patching, it's helpful