An initial zero-day vulnerability (CVE-2021-44228), publicly released on 9 December 2021, and known as Log4j or Log4Shell, is actively being targeted in the wild. CVE-2021-44228 was assigned the highest “Critical” severity rating, a maximum risk score of 10. On Tuesday, December 14th, new guidance was issued and a new CVE-2021-45046. Originally scored with a CVSS of 3.7, CVE 2021-45046 was upgrade to a CVSS score of 9.0 on December 17th. On December 18, a third CVE (CVE 2021-45105), was issued with a CVSS score of 7.5. This CVE details with a DOS (Denial of Service) vulnerability in all versions of 2.X log4j, including 2.16.0. The new guidance from Apache.org states that upgrading to Log4j version 2.16.0 is insufficient and is vulnerable to this DOS vulnerability in certain scenarios. Upgrading to 2.17.0 is the preferred remedy per Apache.orghe.org. For specific details please see Investigating CVE-2021-44228 Log4Shell Vulnerability.

SOFTWARE ・ 2 DAYS AGO