Editor: Saritha Priya Date: 12-01-2022 at 9:05 AM
With the last month of 2021 dominated by the log4J vulnerabilities discovery, publication, and patches popping up in rapid succession, odds are you have patched your system against Log4J exploitation attempts. At least some systems, if not all. You might even have installed the latest patch – at the time of writing, that is 2.17.1, but, if the last rapid patching cycle persists, it might have changed by the time this is published.
In the meantime, defenders might have been working overtime to plug Log4J born security gaps, but so did cyber-attackers. Log4J’s well-deserved fame also alerted cyber-attackers to a potential entry pathway into their target. And, while log4J will hopefully vanish from the headlines, cyber-attackers are likely to continue trying to exploit it in the hope of finding unpatched or incompletely patched targets.
As human error still accounts for 95% of all security breaches, cyber-attackers actively rely on these human errors to exploit them and take advantage of a false sense of security derived, assuming that patches have been applied successfully.
The Log4J saga is a perfect storm to generate a high number of patching errors as it combines:
1 —Acute stress: Log4J was named the worse vulnerability in decades and qualified by Cloudflare as “so bad we’re going to try and roll out at least some protection for all @Cloudflare customers by default, even free customers who do not have our WAF.”