One of the biggest software security vulnerabilities for some time has been discovered and patched - but that patch needs patching too...
You may have heard about the recent critical vulnerability in the widely used java-based logging package, Log4j.
The vulnerability (labelled CVE-2021-44228) allows arbitrary code to be executed on a vulnerable system and at least two botnets have been found to be exploiting this in the wild.
This has had admins and security analysts reaching for the coffee as they prepared to test and roll-out the patched update or at least mitigate the risk.
However, a vulnerability with the initial patch (2.15.0) has come to light pretty quickly – which has already been resolved in versions 2.12.2 and 2.16.0.
Apache Log4J can be found in everything from the ubiquitous webserver Tomcat to the Java version of Minecraft - the list is enormous.
Vendors of applications and PaaS which are built on Java technologies are moving swiftly to release software updates. Amazon has already released a hotpatch utility on GitHub which may save you some woes – but do heed the caveat that this has been currently only tested with JDK 8, 11, 15 and 17 on Linux.
Microsoft have released this response which gives advice on updating appropriately, stating “All systems, including those that are not internet facing, are potentially vulnerable to these vulnerabilities, so backend systems and microservices should also be upgraded.”
NCCGroup provides this guidance on finding vulnerable versions and detecting whether your systems have already been exploited.
Head over to Apache.org for the full nitty-gritty.