Internet

Yet another Log4j problem: you have to update again

In recent weeks we have seen significant vulnerabilities affecting Log4j, the popular Java registry library. This puts millions of servers at risk, so administrators had to upgrade as soon as possible to fix the issues. The point is that a few days later they had to release a second update to correct new problems. And yes, in this article we echo one more, so users should reinstall patches.

2.17.0, the new patch for Log4j

First they released version 2.15.0 to correct the important vulnerabilities that affected this library. They later released 2.16.0 and, in this case, the version 2.17.0. This is a denial of service (DoS) vulnerability that needs to be addressed. It has been registered as CVE-2021-45105.

However, it should be mentioned that it has been classified as less gravity, although it is still high. Of course, it is also essential that users update as soon as possible and thus avoid problems that put their devices and their proper functioning at risk.

This problem was detected after version 2.15.0 was discovered to be vulnerable to possible DoS attacks and later also affected version 2.16.0. This bug arose in Apache’s JIRA project. This caused Apache to release a new vulnerability registered as CVE-2021-45105, with a Danger score of 7.5.

As indicated in the information note, “Apache Log4j2 versions 2.0-alpha1 to 2.16.0 did not protect against uncontrolled recursion of self-referential searches.”

Vulnerability in Log4j

Important to install the latest version

Once again, it turns out it is essential to install the latest version available to avoid security problems. In this case it is version 2.17.0. This patch has already been released and allows search strings in settings to be recursively expanded.

This problem appears just when Google has indicated that more than 35,000 Java packages they have Log4j flaws. Most of them use these packages indirectly and this means that not all developers can have a clear visibility of their software.

Even from Google they claim to be pessimistic about the time to end this whole matter. They believe that it will be years before the Log4j vulnerabilities are completely removed from all Java packages. This gives hackers a great opportunity to target vulnerable servers, where they can sneak malware or ransomware.

The best option we have to correct these problems and avoid being victims of cyber attacks of this type is to install the latest versions. In this case it is add version 2.17.0 and correct this specific problem, but it is something that we must apply in any circumstance. We must always have the latest updates to the operating system, browser or any program that we use.

Although sometimes connection problems may arise after an update, we must always verify that we have those latest versions available and that our devices are really protected to be able to surf the net with guarantees and make things as difficult as possible for hackers.

Deepak Gupta

Deepak Gupta is a technical writer with a 10-year track record in business, gaming, and technology journalism. He specializes in translating complex technical data into actionable insights for a global audience.

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *