“When logging configuration uses a different pattern layout than the default context lookup (for example, $$ ctx: loginId}) or the thread context it allows to control the attackers on the Thread Context Map (MDC) input data using the JNDI lookup sample CVE Explanation states that the result of% X,% mdc, or% MDC) is denial of service (DOS).
As the CVE says, Apache Already published Solution to the last issue: Log4j 2.16.0.
The original bug in Log4j, the Java library for logging error messages in applications, has been making headlines since last week. Attacks Launched on December 1st, Salon Cloudflare
There is the Dutch National Cyber Security Center (NCSC-NL) Published A long list of software affected by vulnerability.
ESET has published a map of countries with attempts to use Log4j with the largest volume in the US, UK, Turkey, Germany and the Netherlands.
“The size of our detectives confirms that this is a large-scale problem that will never go away. Attackers are sure to test many types of exploitation, but not all attempts are necessarily harmful. Said Roman Kovac, Chief Research Officer at.
Many companies are already seeing attacks that exploit vulnerability. Armis told ZDNet that more than a third of its customers (35%) were found to have attempted log4shell attacks. The attackers sometimes target physical servers, virtual servers and IP cameras.