"Log4Shell Remains a Big Threat and a Common Cause for Security Breaches"

A year after receiving patches and extensive attention, the Log4Shell vulnerability that affected millions of company applications remains a prominent cause of security breaches and is projected to be a popular target for some time. Its lasting effect emphasizes the significant risks posed by flaws in transitive software dependencies and the urgent need for companies to employ software composition analysis and safe supply chain management processes. Log4Shell, tracked as CVE-2021-44228, was discovered in Log4j, a widely used open-source Java library for logging. Initially revealed as a zero-day vulnerability, the project's developers promptly prepared a patch. However, getting this patch widely adopted and applied proved difficult because it relied on software developers who used this component to provide their own updates. The situation was further worsened by the transitive nature of the vulnerability, as software projects that used Log4j also included a large number of third-party components or development frameworks that were dependencies for other applications. Even the use of the Log4j library was not required to be impacted by the flaw since the vulnerable Java class JndiManager provided in Log4j-core was borrowed by 783 other projects and is now present in more than 19,000 software components. This article continues to discuss the critical Log4Shell vulnerability, how it will remain a challenge, and its exploitation attempts remaining high. 

CSO Online reports "Log4Shell Remains a Big Threat and a Common Cause for Security Breaches"