Millions of devices are at risk as a result of a new software vulnerability
A recently identified hole in a widely used piece of open-source software has prompted researchers and businesses to update their systems in order to prevent breaches and ransomware attacks.
An incomplete patch for CVE-2021-44228 could be abused to “craft malicious input data using a JNDI Lookup pattern resulting in a denial-of-service (DoS) attack.”
The Apache Software Foundation (ASF) has pushed out a new fix for the Log4j logging utility after the previous patch for the recently disclosed Log4Shell exploit was deemed as “incomplete in certain non-default configurations.”
The second vulnerability — tracked as CVE-2021-45046 — is rated 3.7 out of a maximum of 10 on the CVSS rating system and affects all versions of Log4j from 2.0-beta9 through 2.12.1 and 2.13.0 through 2.15.0, which the project maintainers shipped last week to address a critical remote code execution vulnerability (CVE-2021-44228) that could be abused to infiltrate and take over systems.
“Dealing with CVE-2021-44228 has shown the JNDI has significant security issues,” Ralph Goers of the ASF explained. “While we have mitigated what we are aware of it would be safer for users to completely disable it by default, especially since the large majority are unlikely to be using it.”
JNDI, short for Java Naming and Directory Interface, is a Java API that enables applications coded in the programming language to look up data and resources such as LDAP servers. Log4Shell is resident in the Log4j library, an open-source, Java-based logging framework commonly incorporated into Apache web servers.
Because the vulnerability, called “Log4Shell” by some, is pervasive and is most likely present in heavily frequented websites and apps, consumers’ favourite websites and apps may also be impacted.
Mandiant and Crowdstrike, two cybersecurity organisations, warned that hacking gangs are attempting to penetrate systems, and Mandiant told Reuters that they are “Chinese government actors,” referring to the ruling Chinese Communist Party.
According to a blog post by Dragos cybersecurity researchers, “Given that Log4j has been a ubiquitous logging solution for Enterprise Java development for decades, Log4j has the potential to become a vulnerability that will persist within Industrial Control Systems (ICS) environments for years to come.”