The Apache Log4j library is extremely popular.
Almost all JAVA-based enterprise software depends on it.
Consequently, Log4j is the de facto standard JAVA logging API that developers use to enrich their server applications with logging capabilities.
One reason that an organization might use Log4j is to help troubleshoot potential security incidents.
For example, if someone attempted to log in using incorrect credentials, Log4j could record information about the event.
In other words, Log4j holds sensitive information that malicious attackers can easily exploit.
The Log4j vulnerability CVE-2021-44228 impacts Log4j 2 versions from 2.0-beta9 to 2.14.1.
Apache announced a series of somewhat related vulnerabilities: CVE-2021-45046, which can lead to DDOS attacks, and CVE-2021-45105, an infinite recursion bug.
The Apache Software Foundation has already released versions 2.15.0, 2.16.0, and 2.17.0 to patch the vulnerability.
If you’re running one of the affected Log4j versions, it’s crucial that you patch your system immediately.
Since Log4j vulnerabilities affect the core function of the program, there are many ways that cybercriminals can exploit them.
On vulnerable systems, attackers not only have access to all data, they can also run any code they want.
All capabilites that a comprised machine has can then be exploited by the attacker.
This opens the door for malicious code injections, ransomware attacks, and DDOS attacks.