![]() ![]() JNDI can be used to load such objects from remote naming services over several protocols. This vulnerability is caused by the way Log4j uses a Java feature called JNDI (Java Naming and Directory Interface) that was designed to allow the loading of additional Java objects during runtime execution. Like with most vulnerabilities, alternative mitigations are very useful for security teams, but it’s important to understand their limitations and the false sense of security some of them can induce. Packaged products from third-party vendors might contain vulnerable versions of the popular logging library that users can’t modify without updating the whole product, so they are dependent on vendors to release updates.īusiness critical servers and applications might not be able to restart immediately or applications might run in containers for which new container images must be built. Unfortunately, immediate patching is not viable in all scenarios. Updating the affected component to the latest version - currently 2.17.0 for Java 8 and newer - is the best way to mitigate the flaws identified so far: CVE-2021-44228, also known as Log4Shell, which leads to remote code execution, CVE-2021-45046, and CVE-2021-45105, which can cause denial-of-service conditions. Since the flaw was first disclosed and attackers started exploiting it, security researchers have discovered additional security issues in Log4j and various ways to bypass some of the proposed mitigations, leaving security teams scrambling for the correct ways to protect their applications, servers and networks. The IT security community has been hard at work for the past week to investigate a critical and easy-to-exploit vulnerability in a hugely popular Java component called Log4j that’s present in millions of applications and products.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |