Log4j Security Patch Meant to Fix it Also Carries a Critical Vulnerability

By

Log4j's security patch, which was meant to fix its flaws that could potentially spread malware, turns out to be carrying a critical vulnerability as well.

Log4j Security Patch Meant to Fix it Also Carries a Critical Vulnerability
A participant sits with a laptop computer as he attends the annual Chaos Communication Congress of the Chaos Computer Club at the Berlin Congress Center on December 28, 2010 in Berlin, Germany. The Chaos Computer Club is Europe's biggest network of computer hackers and its annual congress draws up to 3,000 participants. Photo by Sean Gallup/Getty Images

As such, affected users need to install another patch once again as the first one still left out some security flaws in addition to the previous ones, as per the news story by ArsTechnica.

Log4j Security Patch

The Log4Shell malware vulnerability was discovered last Dec. 9, which exploited the zero-day code execution of the Log4j, a logging service m of the most of the largest cloud services and enterprise networks are using.

According to the report by Bleeping Computer, Log4jh is being used by numerous cloud services, such as Amazon, Adobe, Cisco, Broadcom, as well as SolarWinds, IBM, and McAfee-to name a few.

That said, developers have promptly acted on the Log4Shell security flaw by quickly rolling out an update that is meant to fix the security breach altogether.

Apache, the firm behind the Log4j, went on to urge all of its users to install the security patch as soon as possible to avoid any massive malware attacks.

Log4j Security Patch Meant to Fix it Also Carries a Critical Vulnerability
The newest log4j security flaw could be under the control of a Chinese hacking group, according to cybersecurity researchers. Michael Marais from Unsplash

On top of that, a security firm that goes by the name Cybereason even released its Log4Shell "vaccine" to extend a helping hand to enterprises that could not yet install the latest patch.

However, some experts said that the protection of the "vaccine" is only limited.

Log4j Security Patch and its Critical Flaw

This time around, it turns out that the initial security patch for the Log4Shell malware vulnerability also carries another "critical" flaw, which continues to expose its users to cyberattacks.

ArsTechnica noted in the same report that researchers have found out that there are two vulnerabilities in the patch that was supposed to fix the Log4j security mess.

In fact, hackers have already exploited one of the vulnerabilities found in the said security patch, known as the Log4j 2.15.0.

That said, cybersecurity experts and researchers are now asking users of the widely-used logging system to update their systems to the new patch of the Log4j, now dubbed as version 2.16.0.

The cybersecurity researchers further claimed that the latest patch should fix all of the vulnerabilities found in the earlier failed update, which carries the critical flaw called CVE-2021-45046.

The experts went on to warn the users of the logging system that the first fix "was incomplete in certain non-default configurations."

In turn, it still allowed the cyberattackers to carry out denial-of-service attacks, which makes the systems of the victims vulnerable to hacking.

Nevertheless, there is now a patch, which touts itself to fix these issues.

Related Article: China-Backed Hackers Could Be Exploiting Log4j Security Flaw, According to Cybersecurity Analysts

This article is owned by Tech Times

Written by Teejay Boris

ⓒ 2024 TECHTIMES.com All rights reserved. Do not reproduce without permission.
Tags:Log4j
Join the Discussion
Most Popular
Real Time Analytics