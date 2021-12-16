We talked about the Log4J library yesterday, a bug discovered in recent weeks is sowing panic: it is very serious, it allows the execution of commands with high privileges on external servers without having access to them and updating is not easy, especially if a person has not kept the always updated apps.

Log4Shell is officially the most serious cyber flaw of the last 10 years. Millions of attacks in the last few days Go to the deepening

The lucky ones who managed without too many problems to update Log4J with version 2.15.0, the one released to close the problem, must now go back to work on the code: the version that was supposed to close the flaw is also vulnerable and opens two different flaws that hackers are already actively exploiting.

The patch, developed quickly for the urgency, magnifies the problem and it was necessary to release a further version, 2.16.0, to close the CVE-2021-45046 vulnerability.

There are two problems: the first allows on some configurations the execution of an attack that looks like a DDoS attack, capable of blocking an entire system until reboot, the second instead even more serious allows downloading without permission of the data present on the servers.

Praetorian researchers have released a video showing the problem.

Version 2.16.0 of Log4J should have fixed every problem, as well as disabling the Java Naming and Directory Interface which is the root cause of the problem. We hope this is really the case.

Many, however, are wondering why billions of people have installed such a library when they ultimately needed a much less sophisticated solution.

Log4J was born to manage logs, and it also did it well: when the library was grown, a series of features probably useless for a logger were also added, and it was these functions that caused the problem. Features that only one in 100 developers probably use.

This is a problem common to many libraries, born to do one thing (and quickly) and then become small microcosms full of often useless accessory functions which at the same time represent a threat and increase the weight of the application itself.