A popular logging tool used by a large number of projects exhibited a vulnerability allowing remote code execution. A second vulnerability came later.
The impact, possibly illustrated by the US-specific references cited below, can't be overstated. This is due to the critical nature of the vulnerability, ease of exploitation, pervasiveness and high degree of composability of this component, coupled with the one-two vulnerability disclosures in December followed by another wave for Log4j 1.x in January.
This incident triggered several conversations in the industry including detection, hotpatching techniques and open source sustainability.
While this was a source code compromise, it was compounded by all the factors above.
- Understanding the Impact of Apache Log4j Vulnerability
- Log4j One Month On
- Another Remote Code Execution Vulnerability Patched in Log4j
- New Log4j 1.x CVEs, and critical Chainsaw Vulnerability — What to Do?
- FTC warns companies to remediate Log4j security vulnerability
- Commentary from The White House
- Hotpatch for Apache Log4j from Amazon Web Services
- codeql-queries/log4j-injection.ql at master · cldrn/codeql-queries