Waterdog Network Assessment Data Sheet
Severe vulnerability in Java logging libraries allows unauthenticated remote code execution and access to servers, warn researchers.
A newly discovered zero-day vulnerability in the widely used Java logging library Apache Log4j is easy to exploit and enables attackers to gain full control of affected servers.
Tracked as CVE-2021-44228, the vulnerability is classed as severe and allows unauthenticated remote code execution as the user running the application utilises the Java logging library. CERT New Zealand warns that it’s already being exploited in the wild.
CISA has urged users and administrators to apply the recommended mitigations “immediately” in order to address the critical vulnerabilities.
Systems and services that use the Java logging library, Apache Log4j between versions 2.0 and 2.14.1 are all affected, including many services and applications written in Java.
SEE: A winning strategy for cybersecurity (ZDNet special report)
The vulnerability was first discovered in Minecraft but researchers warn that cloud applications are also vulnerable. It’s also used in enterprise applications and it’s likely that many products will be found to be vulnerable as more is learned about the flaw.