TL;DR - The latest vulnerabilities found in Log4j 2.17.0
are much less serious than the hype would suggest.
Continue to patch your systems to at least Log4j 2.17.0
(Java 8) or 2.12.3
(Java 7).
Anyone on this train deserves a much-needed break.
After a DOS attack with limited impact was discovered
in 2.16.0
and log4j was updated to 2.17.0
to fix it, another
even less impactful vulnerability was discovered in
2.17.0
. I wonder if we should say "vulnerability" in quotes because
this latest vulnerability requires an attacker to have access to the
logger configuration file, which is a very privileged and unlikely scenario. It's so minor, we have chosen not to
scan for it in our Log4shell scanning tool. We hope the focus will remain on fixing
the far more critical vulnerabilities in earlier versions.
In this post, we'll look at the motivations and repercussions of hyping up this far less serious attack vector. Then, we'll look at a timeline of the vulnerabilities discovered in log4j, ending with this latest vulnerability.