Patches of dangerous vulnerabilities being exploited by hackers contain dangerous holes and then continue to be exploited by hackers
In early December, the world was shocked when a critical code execution vulnerability was discovered in Log4j, a utility used by virtually every cloud computing service and enterprise network. Immediately, open source developers released an update to patch the bug and urged users to install the patch immediately.
Now researchers report that there are at least two vulnerabilities in the Log4j 2.15.0 patch update. Not only that, hackers are also exploiting one of those two vulnerabilities, targeting targets that have installed the patch. Therefore, the researchers once again urge everyone to quickly install the Log4j 2.16.0 update to patch the vulnerability being tracked under the code CVE-2021-45046.
According to the researchers, patch 2.15.0 is incomplete in some non-default configurations, creating an opportunity for hackers to perform DDoS attacks. This can cause the attacked servers to be completely paralyzed until restarting or other actions are taken.
Version 2.16.0 fixes this issue by removing support for message lookup patterns and disabling JNDI functionality by default.
The remaining vulnerability in patch 2.15.0 discovered by security firm Praetorian is related to information leakage. Hackers can exploit this vulnerability to download data from affected servers. The company has reported the issue to the Apache Foundation but still strongly advises users to install patch 2.16.0 as soon as possible.
You should read it
- Log4Shell zero-day vulnerability discovered, the new nightmare of enterprises
- Detected critical zero-day vulnerability on Adobe Reader
- Apple releases iOS 14.4.2, iOS 12.5.2, and watchOS 7.3.3 updates that patch the critical zero-day vulnerability
- GitLab patches critical vulnerability that allows hackers to take control of accounts
- Microsoft urgently patched zero-day vulnerability after 2 years of refusing to acknowledge it
- 'Printer Catastrophe' Vulnerability Threatens All Versions of Windows
- Apple patched many zero-day bugs in iOS 15.4.1 and macOS 12.3.1 updates
- Critical Vulnerability Discovered in 3 WordPress Plugins, Affects 84,000 Websites
- 13 popular applications have serious security vulnerabilities, users need to update immediately
- AMD CPUs also have security vulnerabilities that have existed for many years now!
- Apple Patches Zero-Day Vulnerability That Could Let iPhones, iPads, and MacBooks Get Hacked
- New privilege escalation vulnerability called 'Dirty Pipe' is threatening all Linux distros
Maybe you are interested
Google releases emergency security patch, fixes 4 security flaws on Chrome
Should operating system patches be updated as soon as they are released?
Windows 10 will receive 5 years of additional support through 0patch
iOS 15.5: Only some minor improvements, mainly patching security holes
Google releases emergency update to patch Chrome vulnerability
Intel is about to release a 'mysterious' patch for processors released since 2017, users note