Log4j flaw: Thousands of applications are still vulnerable, warn security researchers

Months on from a critical zero-day vulnerability being disclosed in the widely-used Java logging library Apache Log4j, a significant number of applications and servers are still vulnerable to cyberattacks because security patches haven’t been applied. 

First detailed in December, the vulnerability (CVE-2021-44228) allows attackers to remotely execute code and gain access to systems that use Log4j. 

Not only is the vulnerability relatively simple to take advantage of, but the ubiquitous nature of Log4j means that it’s embedded in a vast array of applications, services and enterprise software tools that are written in Java – and used by organisations and individuals around the world. 

SEE: Google: Multiple hacking groups are using the war in Ukraine as a lure in phishing attempts

It’s why director of US cybersecurity and infrastructure agency CISA, Jen Easterly, described the vulnerability as “one of the most serious that I’ve seen in my entire career, if not the most serious”. 

But despite critical warnings over the vulnerability, there’s still a large amount of Log4j instances operating in the wild that have yet to be patched and are still exposed to cyberattacks. 

According to researchers at cybersecurity company Rezilion, there’s over 90,000 vulnerable

Read More: https://www.zdnet.com/article/log4j-flaw-thousands-of-applications-are-still-vulnerable-warn-security-researchers/#ftag=RSSbaffb68