If you updated your systems using the recently released Log4J 2.15.0, you might need to consider updating again. Cyber experts have discovered yet another vulnerability in the patch that could exacerbate the security experience in the Log4J library.
What is Log4j?
Log4j, by Apache Foundation, is a logging utility commonly used by almost every enterprise network and cloud service to create modern software. It is part of the larger building blocks used to accomplish the vital job hence the term “software library.” Developers use Log4j to keep track of their software online services or applications. Basically, it’s an extensive journal of all the activities of your system. The practice is called “logging” and helps developers keep an eye on the system to avoid system problems and ensure smooth services to users.
What’s The Issue?
On 9th December 2021, the world learned of a Log4j vulnerability that hackers could use to extract data or infect other networks. The hack would be severe given that Log4j is a worldwide service provider.
Impact Of the Log4j Vulnerability
Most software need to log for security, operational, or development purposes, and Log4j falls among the top service providers. If you’re an individual, Log4j is certainly part of the services and devices you use daily online. In this case, the best protection would be to look out for patches in the next few days and update regularly.
If you’re running an organization, confirm that your web applications and software include Log4j. If so, you should update with internet-facing and non-internet-facing software. Note that Log4j may be installed elsewhere in your organization. So, it would be best to implement detection and threat intelligence functions in the organization to detect exploitation payloads and trace evidence.
Log4J Update Creates Yet Another Vulnerability
Open-source developers quickly found a solution for the initial vulnerability and asked users to install the update to patch the flaw immediately. Now researchers report at least two additional vulnerabilities in the just-released “Log4J 2.15.0” patch. This has provided hackers with more channels to exploit and attack the real-world targets who had already installed the update.
Another Log4J 2.16.0 Update
Now researchers have released version 2.16.0 immediately to address the vulnerability claiming that the earlier fix had incomplete configurations that allowed attackers to conduct the denial-of-service attacks (DDoS) attack. And although the researchers have communicated the same to Apache Foundation, we’re yet to hear from the company. Usually, companies experiencing cyber threats don’t provide details about the vulnerabilities and response plans to avoid providing information that would aid hackers.