A patch created to solve but with truly unexpected (and disastrous) implications. Instead of closing Java’s vulnerability, Log4J ended up introducing two new ones. The hackers ready to shoot are already working to exploit them properly.

In recent days, a major bug was discovered in the library Apache Log4J. The vulnerability was made known by the name Log4Shell, a major flaw in favor of external attacks. Theoretically it was a 0-day bug, inherent in the software from the start and spotted too late. Being an element Java, it was already widespread once the flaw was discovered.

To resolve, we ran for cover quickly updating Log4J with the new version 2.15.0. Unfortunately, the miraculous solution seems not to have been a godsend. Panic now rises among those who managed to complete the update. 2.15.0 has two more flaws that hackers have already spotted, ready to exploit them.

In other words, the generated patch only exacerbated the initial problem. In short, we need another one, fortunately, already on the way: the 2.16.0. The vulnerability to be covered is CVE-2021-45046. A code that has not made many people sleep.

2.16.0 should finally close this chapter. In fact, it will also inhibit what seems to be directly responsible for all the Log4J flaws: the Java Naming and Directory Interface.

The dynamics of the flaws

The flaws generated by the 2.15.0 version of Log4J were linked to two unwanted openings to external attacks. One allowed on certain configurations inputs capable of blocking the whole system. It was interference similar to a DDoS, which disturbs the server traffic by amplifying it.

The second flaw made it possible instead to download data from the server without requesting authorization. Both problems have the same origin: the new features of Log4J moreover not essential. These are tools that only some professional developers use. The case would have been limited if only those who actually needed these functions had downloaded the library.

Unfortunately, however, many libraries happen to grow larger and end up being vulnerable. Unused ancillary functions can become threats. They are also uncomfortable as they considerably increase the weight of the application. Too much is good, as they say.

