Log4Shell patch incomplete, new fix issued

By on
Log4Shell patch incomplete, new fix issued

JNDI functionality now disabled by default.

A new, urgent patch for the near-ubiquitous Java log4j logging library has been released, as the prior one thought to handle the critical Log4Shell vulnerabililty turned out to be incomplete.

Currently, the Log4Shell vulnerability that allows remote code execution and information leakage thanks to directory and domain name system lookups during logging operations is being widely exploited in vulnerable systems.

The initial fix for Log4Shell, version 2.15.0, was found to not address all issues in non-default  configuations and could be abused for denial of service attacks through malicious input.

Version 2.16.0 now removes support for message lookup patterns, and disables Java Naming and Directory (JNDI) functionality by default. 

Users with releases prior to 2.16.0 can also mitigate against the abovementioned issue by removing the Jndilookup Java class from the path that the application development framework searches.

The Log4Shell vulnerability is being used to plant cryptocurrency miners and ransomware currently, and also used to leak environment variables on cloud services that are unpatched.

It is believed to be one of the most serious vulnerabilities discovered in recent years, and has been in log4j since 2013 when it was added to the logging library as a feature request.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.

Most Read Articles

Log In

  |  Forgot your password?