Global Information Lookup Global Information

Log4Shell information


Log4Shell
CVE identifier(s)CVE-2021-44228
Date discovered24 November 2021; 2 years ago (2021-11-24)
Date patched6 December 2021; 2 years ago (2021-12-06)
DiscovererChen Zhaojun of the Alibaba Cloud Security Team[1]
Affected softwareApplications logging user input using Log4j 2

Log4Shell (CVE-2021-44228) is a zero-day vulnerability in Log4j, a popular Java logging framework, involving arbitrary code execution.[2][3] The vulnerability had existed unnoticed since 2013 and was privately disclosed to the Apache Software Foundation, of which Log4j is a project, by Chen Zhaojun of Alibaba Cloud's security team on 24 November 2021. Before an official CVE identifier was made available on 10 December 2021, the vulnerability circulated with the name "Log4Shell", given by Free Wortley of the LunaSec team, which was initially used to track the issue online.[2][1][4][5][6] Apache gave Log4Shell a CVSS severity rating of 10, the highest available score.[7] The exploit was simple to execute and is estimated to have had the potential to affect hundreds of millions of devices.[6][8]

The vulnerability takes advantage of Log4j's allowing requests to arbitrary LDAP and JNDI servers,[2][9][10] allowing attackers to execute arbitrary Java code on a server or other computer, or leak sensitive information.[5] A list of its affected software projects has been published by the Apache Security Team.[11] Affected commercial services include Amazon Web Services,[12] Cloudflare, iCloud,[13] Minecraft: Java Edition,[14] Steam, Tencent QQ and many others.[9][15][16] According to Wiz and EY, the vulnerability affected 93% of enterprise cloud environments.[17]

The vulnerability's disclosure received strong reactions from cybersecurity experts. Cybersecurity company Tenable said the exploit was "the single biggest, most critical vulnerability ever,"[18] Ars Technica called it "arguably the most severe vulnerability ever"[19] and The Washington Post said that descriptions by security professionals "border on the apocalyptic."[8]

  1. ^ a b Povolny, Steve; McKee, Douglas (10 December 2021). "Log4Shell Vulnerability is the Coal in our Stocking for 2021". McAfee. Retrieved 12 December 2021.
  2. ^ a b c Wortley, Free; Thrompson, Chris; Allison, Forrest (9 December 2021). "Log4Shell: RCE 0-day exploit found in log4j 2, a popular Java logging package". LunaSec. Retrieved 12 December 2021.
  3. ^ "CVE-2021-44228". Common Vulnerabilities and Exposures. Retrieved 12 December 2021.
  4. ^ "Worst Apache Log4j RCE Zero day Dropped on Internet". Cyber Kendra. 9 December 2021. Retrieved 12 December 2021.
  5. ^ a b Newman, Lily Hay (10 December 2021). "'The Internet Is on Fire'". Wired. ISSN 1059-1028. Retrieved 12 December 2021.
  6. ^ a b Murphy, Hannah (14 December 2021). "Hackers launch more than 1.2m attacks through Log4J flaw". Financial Times. Retrieved 17 December 2021.
  7. ^ "Apache Log4j Security Vulnerabilities". Log4j. Apache Software Foundation. Retrieved 12 December 2021.
  8. ^ a b Hunter, Tatum; de Vynck, Gerrit (20 December 2021). "The 'most serious' security breach ever is unfolding right now. Here's what you need to know". The Washington Post.
  9. ^ a b Mott, Nathaniel (10 December 2021). "Countless Servers Are Vulnerable to Apache Log4j Zero-Day Exploit". PC Magazine. Retrieved 12 December 2021.
  10. ^ Goodin, Dan (10 December 2021). "Zero-day in ubiquitous Log4j tool poses a grave threat to the Internet". Ars Technica. Retrieved 12 December 2021.
  11. ^ "Apache projects affected by log4j CVE-2021-44228". 14 December 2021.
  12. ^ "Update for Apache Log4j2 Issue (CVE-2021-44228)". Amazon Web Services. 12 December 2021. Retrieved 13 December 2021.
  13. ^ Lovejoy, Ben (14 December 2021). "Apple patches Log4Shell iCloud vulnerability, described as most critical in a decade". 9to5Mac.
  14. ^ "Security Vulnerability in Minecraft: Java Edition". Minecraft. Mojang Studios. Retrieved 13 December 2021.
  15. ^ Goodin, Dan (10 December 2021). "The Internet's biggest players are all affected by critical Log4Shell 0-day". ArsTechnica. Retrieved 13 December 2021.
  16. ^ Rundle, David Uberti and James (15 December 2021). "What Is the Log4j Vulnerability?". Wall Street Journal – via www.wsj.com.
  17. ^ "Enterprises halfway through patching Log4Shell | Wiz Blog". www.wiz.io. 20 December 2021. Retrieved 20 December 2021.
  18. ^ Barrett, Brian. "The Next Wave of Log4J Attacks Will Be Brutal". Wired. ISSN 1059-1028. Retrieved 17 December 2021.
  19. ^ Goodin, Dan (13 December 2021). "As Log4Shell wreaks havoc, payroll service reports ransomware attack". Ars Technica. Retrieved 17 December 2021.

and 17 Related for: Log4Shell information

Request time (Page generated in 0.7451 seconds.)

Log4Shell

Last Update:

Log4Shell (CVE-2021-44228) is a zero-day vulnerability in Log4j, a popular Java logging framework, involving arbitrary code execution. The vulnerability...

Word Count : 3474

UKG

Last Update:

possibly occurred as a result of the Log4Shell zero-day, but UKG claimed it did not have evidence of Log4Shell being responsible for the ransomware incident...

Word Count : 1668

Log4j

Last Update:

published by the Alibaba Cloud Security Team and given the descriptor "Log4Shell". It has been characterized by Tenable as "the single biggest, most critical...

Word Count : 3205

VMware

Last Update:

Exploit Log4Shell to Infect VMware Horizon Servers". PCMag. Archived from the original on 2022-05-20. Retrieved 2022-05-20. Osborne, Charlie. "Log4Shell exploited...

Word Count : 6438

Alibaba Cloud

Last Update:

use in its data centers in October 2021. On November 24, 2021, the bug Log4Shell was disclosed to Apache by Chen Zhaojun of Alibaba Cloud’s Security Team...

Word Count : 1490

List of security hacking incidents

Last Update:

Alibaba's Cloud Security Team reported a zero-day vulnerability (later dubbed Log4Shell) involving the use of arbitrary code execution in the ubiquitous Java...

Word Count : 14635

The Apache Software Foundation

Last Update:

of Apache Software Foundation projects Apache Attic Apache Incubator Log4Shell CNCF Linux Foundation "Apache Software Foundation, Full Filing – Nonprofit...

Word Count : 1096

Arbitrary code execution

Last Update:

ACE vulnerabilities. On December 9, 2021, a RCE vulnerability called "Log4Shell" was discovered in popular logging framework Log4j, affecting many services...

Word Count : 1013

2020s

Last Update:

DarkSide causing substantial shortages in the southeastern USA. Log4Shell 24 November 2021 Log4Shell affected hundreds of millions of devices through Java's open...

Word Count : 17767

ExpressVPN

Last Update:

In December 2021, ExpressVPN modified its product to protect against Log4Shell, updating its VPN to automatically block all outgoing traffic on ports...

Word Count : 2363

Cyber Safety Review Board

Last Update:

report of the board was published 11 July 2022 and described Log4j and Log4shell. Sanger, David E.; Perlroth, Nicole; Barnes, Julian E. (2021-05-10). "Biden...

Word Count : 518

Java Naming and Directory Interface

Last Update:

file system does. Computer programming portal Service locator pattern Log4Shell "Java SE - Core Technologies - Java Naming and Directory Interface (JNDI)"...

Word Count : 733

Spring Framework

Last Update:

CVE-2022-22965. It was given the name Spring4Shell in reference to the recent Log4Shell vulnerability, both having similar proofs-of-concept in which attackers...

Word Count : 6672

Emotet

Last Update:

SMBGhost (2020) Thunderspy (2020) PrintNightmare (2021) FORCEDENTRY (2021) Log4Shell (2021) Account pre-hijacking (2022) Retbleed (2022) Downfall (2023) LogoFAIL...

Word Count : 907

2021 in science

Last Update:

come from cosmic sources, such as black holes and neutron stars. The Log4Shell security vulnerability in a Java logging framework is publicly disclosed...

Word Count : 38840

EXist

Last Update:

Version Release date Changes 6.0.0 January 27, 2022 Fixes for Log4Shell vulnerability and breaking changes to bundled Apache XML-RPC libraries to resolve...

Word Count : 465

ExtraHop Networks

Last Update:

encrypted exploit attempts of CVEs such as PrintNightmare, ProxyLogon, Log4Shell, and Spring4Shell. –Detection of cloud attack techniques (eg, AWS IMDS...

Word Count : 1435
PDF Search Engine © AllGlobal.net